23542300x8000000000000000392977Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:06.890{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8199A12D2F48C9D3C6B3087EFD9782,SHA256=47EDEFA3DC3712466640F1F177E27BDBFAEB4839C61F953FD44243F43B935E6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448078Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:06.120{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A1F67120C002E00617F811C39362D7,SHA256=E3BB1D6074FDBA410E36E854226C0A96523C63D84CC4570BDDCD3D900DFC7477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392979Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:07.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=903001AD70D32753BB46E7ACB0622ADE,SHA256=35BD83D35127125E96E9EEFC92ADBBC85FEDEE7965D6152806E23328A7AC260A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448079Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:07.121{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD172A846168FCDC722A990379D2D6F,SHA256=686890CF1C6950F82B072E76934A588F8E4273BF56FB229CFED9DD9C2368F8F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392978Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:05.442{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53574-false10.0.1.12-8000- 23542300x8000000000000000392980Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:08.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391754948AFE88BA0ED120BDAB82E6F8,SHA256=DFE1D3E499F12816E1AA33D58C85257788B937EF38A5AB3BBCF997B3C5C04343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448080Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:08.136{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C5C67D42E9B702AD14BB3F2DF19CD1,SHA256=CB962344816B61BCA31F0C691DD7948FD9C218062A5EBDF096FBA7ECEDDC3F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392981Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:09.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F36B94B40B91B97F70A3266291EEB7,SHA256=EC2C90AF77D9F743D428874E3B8615E71BEF53657F470EE82B05077CFE3D0A21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448082Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:06.694{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448081Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:09.150{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C431122A4F5DC7CB6C3B5FBEE6598F0A,SHA256=900C3064802BE478C8B26D14101E7C7A18645D0032497A7E0C99D38E5F2E4263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392982Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:10.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E546AEA9210091E0DFFD7760F6A9795,SHA256=559975710C9B03FD251B7BA13545EE01B5663C2A5082C7E8E20010C5659E414F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448088Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:10.265{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=D604790A714ECB2C645B7A77FDD103F8,SHA256=5FB9E6861FA97B3C363E2D5BC2F422ABC784795B5AED3D509776F5C33029BBBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448087Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:10.265{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=7F2C5741D3B672D463ABC75F0D817F10,SHA256=B56719FE0E1E567B8D364DEDBC12BD760B49EC2A1C853E9F09E6D5AFD20D6050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448086Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:10.265{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=6883F6217DE34CE61FDC75F81009F459,SHA256=89E059207DBF5C56935E00A45D6DC1F1D199A835D322E8BD2A74A33F92EB7631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448085Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:10.265{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=F9BB46CB03CC6B430D628498883E1DDC,SHA256=513922C77D7F5BAF43F17ADC10C705CA77F4686A99F4F81BA107F00163B52303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448084Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:10.265{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=420A69DDB08E94F317DFB791103877D1,SHA256=1A57EFB495D7F0038B6F00B30B8B6F0C875940CE94859C0B0F4A064CCEC1A3C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448083Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:10.182{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEC45813FA9946B31625732EE005EE1,SHA256=182BE35EF7815820B15FFDA76DFF3DC5658F9D62EB242DB7AC8B45285FBDA002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392983Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:11.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A31FB75C19D290A7ED9677DC35DD6B,SHA256=774D152CA3FC4725F35A9D3B8619FC9975D342AE78BF296E63422F099518E23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448089Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:11.201{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C170E318023FBCCAACC2AE76E37495,SHA256=FF11E23FDAE73CD11E38AE20739DA11F84CF51EA333E738F82AEF4E8157A5491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392985Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:12.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4301D06F36C88EBFD6A2C4FB65B8AE4F,SHA256=22B5019B713C58B4A6AA99A705CBC93081A6E80391653F3F1B0347EA09D57189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448090Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:12.215{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB598E619C8509AF91132B1369D4A4A,SHA256=0105F01329232DB45E062402D8DBD35F160FF6E1534D84867F52E255DF259537,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392984Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:11.442{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53575-false10.0.1.12-8000- 23542300x8000000000000000392986Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:13.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F40C45A72F2DFC92C262CF830C4B6E3,SHA256=D94E580CA45E3347B22EC1DAD8A8179F5B537135A2BD56ED8CACB2253020DE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448091Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:13.261{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6862CD7FD3F14ECCFAA412CD1E4C6E9,SHA256=361AAC4BD666A513296E9EB1B984613A997CA681EE5CDD66D4DFA8A549772AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392987Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:14.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3F708D62B8B583B0082BBD6ACC9B44,SHA256=36A1E72EEEF079EEBD7EACE179A4333D25D08A4F791D09C76CA1064F4BBA26D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448092Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:14.277{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EDCBF8E952C4529C7551115F9402E9,SHA256=7277473160D8BD1DFA596D582741715C93ACB63EADA20CDB51F01D8AC013E02D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392988Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:15.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296E32AC60067DC9B618E379FD876714,SHA256=27B5715FE7B816320260F24C18EDC2BB5EEF8BA1BB342AFC4D093E2A7A03B846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448094Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:15.311{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B69B8AAEB1FE296B02D7141626FD865,SHA256=FF14BA5E8CDFB79E6042B8692EBFF3318494C314CB7FD20ADA6B3F4171BACEC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448093Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:12.718{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000392989Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:16.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6661B891B7F34881559655A60356D65,SHA256=4AA7861CAD2275B6B82DCA803E7646607201D70BD8567DDFB987639327ED2195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448095Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:16.375{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A179FE0C5CB1FD772CA845CA10A6663,SHA256=62DE326C54B89FA113F2377968BD21EDABF19A09C688FACA2F3839E21CDA0A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392990Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:17.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B9315A18AA48F56D0671248D95912F,SHA256=7DD26B7A5E730B3C122B5A3CEC7D61971715CD505A0E44A1827F82A85CD056AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448096Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:17.409{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AB0ED37081F01B942946B3D9B0A207,SHA256=9649F0B320513E1EAA50D7D2508BCB050DE931A4DF62385E53C94DD40ED35EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392992Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:18.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064DE98BA12EA60FE56689543B97E68F,SHA256=2AEAFEC5B49BC27635414B3DC52786F476F60EB402E9AE2D57653E09EF9CF029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448097Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:18.424{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EDBE9FB70DF18C95089DB0AB58F08F,SHA256=8268210B8FA691403F89B334612A8D835C5739D4113F5242AD9FB6B177C5B93F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392991Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:17.302{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53576-false10.0.1.12-8000- 23542300x8000000000000000392993Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:19.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80A1E2489C437FC30356A15A856805E,SHA256=12844E4F7ABA80098ADCB3D09B4BBBDEA15533852789E86AD6BFB9C560C914D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448098Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:19.454{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB8B51E544E9A97BD71558105702387,SHA256=2D7703E6680B7637E9E0268BEB7623926F38AEB3B1A97A8BE75EE07BBB8C4480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392994Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:20.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C319F403962AFAB3BED8AA34603F09EF,SHA256=F6C82585619EB298F18504F15C57929A88EAF6D9DD0BFCD76519674CFA1E28A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448099Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:20.490{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3BAF078AC97ED41AF5EF40A2EF218B,SHA256=855C02104CE47A7D9251574DCACB0E10955B2FFBF141BF553E7F4EA260776E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392995Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:21.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7693EA250C7477725FC3D617C0C4C79,SHA256=8F9DFDBA713C89D42E4C12395CF05362FD530862F5D58A2C8E8F5CC9E3ECED1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448101Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:21.504{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1A531AD44CA848B4FF97461F90B353,SHA256=4B890F865FED063722C5E722B02785FD4A142F32DB71871AA226D981C3C01AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448100Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:18.527{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54155-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000392996Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:22.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C521CB16AD8EF45CDC3E6F72C200CDF,SHA256=79BB7208427629F74598F368C7B5CC4E511600F14F0C69AD348A60642EA49B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448102Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:22.519{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DC9FA655B775CB6995ABC6D8678203,SHA256=DA3F3BCD5E77C8F2DCDD444D52BD4C9FF39D4E7C7AFB050C95A662E3CF29DC8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392997Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:23.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B28B3482904C09C05592C3D2870C59,SHA256=C96229E90B82BA579F96783ADA991B5B993A773B14C45077583231F0562F45F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448103Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:23.534{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCFB7A0F2B408D740D550A45AC5849EB,SHA256=B5850A1D6EDF67D3D3E556C9C64011A012C80C6084674604A11A0D83B57680A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000392998Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:24.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B651C399E99B396FD22A5D4439B77742,SHA256=455248C2F06BDA3CE62174952C41511E890CA6744F74CB18CEB2965BF2282CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448104Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:24.548{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5910C742E85B5C2F161D4286F4FE097,SHA256=74C6DFE4F2A464227496C8705462513800517BD1B04B212A29C256CC2CE0D2E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393000Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:25.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67C5B6C558A692AD701F18C59B1CB32,SHA256=54415815434D0321CA47C358F2A7AE103DB7AC52EC73FE939B0C59418BEE8B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448110Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:25.566{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EAA5E02F65AB69A657C97E7FE759D7E,SHA256=C72FCDEFABF16A80985934E7098052BE954AC0FAD85800495CA6B32AB04FE8BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000392999Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:23.317{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53577-false10.0.1.12-8000- 23542300x80000000000000001448109Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:25.232{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=98F2A077CA6E4B95B4D0A97F99032F44,SHA256=BF8A942C0D692EAC3A4576FBE247A975F8198289519E63E9101B52FD5DDCD10B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448108Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:25.232{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=7B9D66D97A140F6F717094018FF12B3F,SHA256=A3C3FA8E9DAFBE34F0AD95BEED19FB6C9413E5A10B3FFFBD8C2A2606A8533733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448107Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:25.232{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=14E55D54581592E8816AE5448087412E,SHA256=DA65CEDDE57E88ED354A0182668E4515597F5700B357FEB7B6C57D6F4E7CEEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448106Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:25.232{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=1FF243E301B7C2BC13EA6F9D38B4F7FE,SHA256=B2F2EE3750D5B583D37C6F52613B58D7A952C42C85A7D538AFA0E125FF7A4A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448105Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:25.232{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=D805E4C9A7A1268B2A8DF1AC4E42F667,SHA256=091816F76E92DB778A230EF0F5CA55598F2BCA81F2132F9C3978B9AB25A1038F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448112Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:26.584{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=289A5BB26A9FE34A684DBC18A6A2E66C,SHA256=E733B65A1E7514D70FC9C3112C5DF26B1A756A127A764B4E03BE19CB2473716D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393002Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:26.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DFF0F929CE9729DC986DCCC5C598DC,SHA256=41912B5856761D863DE0DF548F9E2596ACF3A740202260B7148DD6EB6F2D95C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393001Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:26.202{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=875016772D93B9340B949D785388730A,SHA256=5DE042B64410842BD40A2A697884F4371D4E032CF4D0B2D1A297B2E101EB6713,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448111Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:24.558{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000393003Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:27.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC0C42FEE0CA818B487068B896B1663,SHA256=A545BA01F84C43715D5610C35EB05911F5043E9EB5CCE74CDD0C0590310A4D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448113Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:27.614{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ED3C5BBD63048FAE3D147AEB9F7314,SHA256=2A452D7DB4B9B54AB6A85B0BAB63ABA572BF0145847E2DCF7AFE9FEFE7C459E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393004Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:28.936{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB2C346E2019C27D220F47CA447A129,SHA256=5F87A2DF7543F1EA842FAC9194BF6B920E7F2098F860D857553CC6CD640AB8F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448114Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:28.644{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA77005664F4829CEC0E0259C5614A86,SHA256=71E3BEAE4D2BAAD5D2CB9ABB4342B320F0A6173CB8C0B54DAC0B77E93B6A4C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393005Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:29.936{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9822FAAF1232186B8A7750053BFE69,SHA256=AD6BDEF23AF9E50D83D1D4030D548289BFF53EEDA0AF2331CAA88583D784650B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448116Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:29.811{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448115Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:29.660{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C4C08BC84D27947DC3D64885BC138D,SHA256=743BE49D97292ADC98D573A603E075F338C59F97007C09879A56180B3A07B86B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448117Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:30.679{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3C094EC65A3DFF19F8A3908F25C042,SHA256=A585C95848A445D7F1296AE3DBDC5C8CCEDB4F28386EBE1ABCC7B434F202396A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393007Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:30.936{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11681EA0468AC0C634F25F424A87B3E0,SHA256=3819D5091C289F1C68CCFCE3545BDEBD195606F42E5A95F9CF7A2827DB03C69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393006Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:30.561{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393009Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:31.936{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B96C2260E02E46400FA48BFE7932FA,SHA256=D7DCE8CE2A6123875D96552123FFED129FB0F23D6344AE572433CD078A079883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448119Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:31.710{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37193AC96D10CC4C664F2ED07EB76961,SHA256=360EE98AF5D59044A379D35ECED4CB00A8C59996D45C64ABEB1DAF5D2E0714CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448118Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:29.268{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000393008Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:29.334{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53578-false10.0.1.12-8000- 23542300x8000000000000000393011Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:32.936{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CCE25AEDFB3301CDBEAAC9F365DFE3,SHA256=610EEC315B4B3C45218DF74A5C048A6F384E9117A22EA5844D7B6F36F60688EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448121Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:32.740{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E984A70FE8642E2EBDC3B8347AE16E65,SHA256=961F40131600E957D7E21781A9CC2602348348F3883972D3458849DBC2791B24,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393010Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:30.724{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53579-false10.0.1.12-8089- 354300x80000000000000001448120Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:30.567{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000393012Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:33.936{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34AA276AD1A2E1C74620D17DCAC470A,SHA256=3EB7D1BA5E804597AAF2638E2B1703195D375C482627256E4B1FE7FAD8846B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448123Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:33.757{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3732D1479EC8DB4DAE50DE8BA9DE0F,SHA256=9309308FB19DFE453341E65283F7F9EAAE6A33E77697A698CCB7D8DAA9AD86BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448122Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:33.691{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C4028D605045C5DDB0DD926267E6748B,SHA256=D9E448E260368930B1C176A286143CA1E3C80991867884643AD1E1A3882AE833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.936{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B559561538718E8390A2FE6991E752A1,SHA256=E7452B0D6D32F2ABB285D25DB9CDB814A59BA664B7BEE163649B70320931CD3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448124Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:34.774{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAB0A92B90C06010AE9492E123A81C9,SHA256=CFC49EA25FC676ACDD679BAC83C56A08C1D070E556C928E894FA860E5D03B7E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.858{7F1C7D0B-0236-60E3-B909-00000000D401}38921324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.624{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0236-60E3-B909-00000000D401}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393023Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393022Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393021Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393020Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393019Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393018Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393017Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393016Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393015Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.624{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0236-60E3-B909-00000000D401}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393014Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.624{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0236-60E3-B909-00000000D401}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393013Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:34.625{7F1C7D0B-0236-60E3-B909-00000000D401}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448125Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:35.805{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F778D269FFC9570B820B544C914D08F1,SHA256=CB0798BDB6D0A99B7595E13233CA2882377463E03F911A6A2C4B9185E959F5C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44C93FB5C14C93EC1F6401D5A9CAA7E9,SHA256=169DC8BFA1FCB4B9B3BCC78A588F39A6A870BD0AC5A11F1D282D57ABACC16D3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0237-60E3-BB09-00000000D401}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000393053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2304F0AF7C18BA86EFCB2B088CC5121,SHA256=8115207F02C60023DC09B5251018E4214922851FA91BD3F1237965C6C44CEB50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0237-60E3-BB09-00000000D401}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.624{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0237-60E3-BB09-00000000D401}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.625{7F1C7D0B-0237-60E3-BB09-00000000D401}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.124{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0237-60E3-BA09-00000000D401}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.124{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.124{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0237-60E3-BA09-00000000D401}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.124{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0237-60E3-BA09-00000000D401}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.125{7F1C7D0B-0237-60E3-BA09-00000000D401}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448126Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:36.820{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312760F04C05A1F92F350CAE0CFD3397,SHA256=64A133203F9976F596D178BC97106A51B1367418F47C46E3C9B8B9D6A9F1190C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:35.320{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53580-false10.0.1.12-8000- 23542300x8000000000000000393057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:36.702{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44C93FB5C14C93EC1F6401D5A9CAA7E9,SHA256=169DC8BFA1FCB4B9B3BCC78A588F39A6A870BD0AC5A11F1D282D57ABACC16D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:36.296{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7F4FD1D868B0C0E8FD0A660EADCB64,SHA256=6CD912EB714335988FF9B532A68FB31F0C531FE822165410CBE890ADD4E7659A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448127Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:37.835{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4F589CD6338692A40B65ACB05621EC,SHA256=1B9E5553CFFE9DF1374E8A24F4AC74C0C94E75FB568CDE0F6582D89B84C81571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:37.530{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCA3604B79494C4280955A0FD4193EB,SHA256=2A2C06B2998E33C1781D341ABD343B057753888F81CBA0C97B536724593D815E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448129Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:38.852{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886691B718609E4064216B79FF547296,SHA256=944954762DEEBED49E09EF3D825F28FEC120B6B01880E874642F96240FA84F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:38.546{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABF8823DF66A34789D14C67B0FF5F49,SHA256=45A3553EDD3E7C3E9C3D117AE06676040BB20429F2C909728D1D13514F05F22C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448128Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:36.576{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448130Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:39.871{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A4234DF53AD852DAD98F2ED9AB58D3,SHA256=B4ADA85465CF288EAD54716EA8DA2E44E00FF0D61F345A26B67A830A5F624A2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.983{7F1C7D0B-023B-60E3-BD09-00000000D401}21042468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.827{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-023B-60E3-BD09-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.827{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-023B-60E3-BD09-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.827{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-023B-60E3-BD09-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.829{7F1C7D0B-023B-60E3-BD09-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.577{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77B6926359D673FAD62A6BBF0589A34,SHA256=1EE67C0D2EE1AE78D642CAF71B773A0AB83343889EC662854FC6E0EEC242658B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.390{7F1C7D0B-023B-60E3-BC09-00000000D401}4282744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.218{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-023B-60E3-BC09-00000000D401}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393072Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.218{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393071Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.218{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393070Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.218{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393069Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.218{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393068Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.218{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393067Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.218{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393066Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.218{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393065Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.218{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393064Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.218{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393063Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.218{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-023B-60E3-BC09-00000000D401}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.218{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-023B-60E3-BC09-00000000D401}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.218{7F1C7D0B-023B-60E3-BC09-00000000D401}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448131Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:40.901{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A7123CBC21DA17037BE169CE133D87,SHA256=4AA5AE7808B9A9D50DB028A022BD5A31EEC21445F28E40BA6F99CE228D1409F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.952{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-023C-60E3-BF09-00000000D401}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393114Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393113Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393112Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393111Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393110Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.952{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393109Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.952{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-023C-60E3-BF09-00000000D401}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393108Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.952{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-023C-60E3-BF09-00000000D401}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393107Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.953{7F1C7D0B-023C-60E3-BF09-00000000D401}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000393106Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:39.897{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-54522-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000393105Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.702{7F1C7D0B-023C-60E3-BE09-00000000D401}24361524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000393104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.671{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC0A61B282246844EAF712352675ABA,SHA256=8DF5FB46ADB63DF9EF6BA3B47A96BC6AD8F1E65950FECDD3D066DEE754B73A3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.452{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-023C-60E3-BE09-00000000D401}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.452{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.452{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.452{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.452{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.452{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.452{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.452{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.452{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.452{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.452{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-023C-60E3-BE09-00000000D401}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.452{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-023C-60E3-BE09-00000000D401}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.453{7F1C7D0B-023C-60E3-BE09-00000000D401}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:40.265{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FBA36697A617C0C619E73677E948C5E,SHA256=824C1F07C677DA46DD2CBC5FF616B0E283349DA21E65FCA3537964888C313E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448132Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:41.915{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAE278A320755492FD2113AC56169AC,SHA256=3562820F582C4AF71D918AAC86820BE960A6246CF7B1E4136510222E7A02073A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:41.749{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76356B823665A63AEB39F6186E3E46AB,SHA256=D830A1C1531399399C7672CE49A6240AED45A9FD48F219162ECEA593C1FE4C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:41.452{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59E995C63F80A778540F888C16DADAFA,SHA256=442A0FD2338C42F0E8CCF0C2C2925FE6DF96B4D805FA782C99D549D5940A06CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:42.749{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167AB8940DB574A1EC9AEAF4DE6E463A,SHA256=166FCA60BF5D524BF42637621512E2B22480F84AC705824377B961BCB2C2CDED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448133Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:42.947{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594A6FE3EABBEFA5037911183E6598AD,SHA256=CC024872671DFD40D250F20F8CAA5A1D1780DA345EF24BA037AD512DC23B98EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:43.749{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855694CB362D372A010473556FF32B70,SHA256=6F9F0C5DD26E22AEED266A0A081CA8A8B96C1ED3678C94F651560771C556C9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448134Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:43.966{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2345B6BC095775F21BFE58606ACE838,SHA256=CF224B38DAD47773C23C6A8A2C8189D6CE6433BC43EA9B655B2B7B71DF846410,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:41.349{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53581-false10.0.1.12-8000- 23542300x80000000000000001448139Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:44.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB74D638CFDD8EBCAC309BFCDAE66E2,SHA256=BC284EDB8706C5ADCF536974D0585BA3C3EB6809ED657DD9D3EEE7362AEDA9D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:44.749{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4677854F5C1C6A4583F42448BDA32A85,SHA256=91D366F233352A403E034670F9AAB25983FA02F716E15B80539A73B139CC2C4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448138Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:42.586{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001448137Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:44.097{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001448136Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:44.097{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001448135Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:44.097{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1321491.TMPMD5=7CC92A355EA66A219E3148903E63F654,SHA256=CDE288AC5D74287BFA2D9257B236405535586530C59E6CD093A4AD9FE7326A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448142Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:45.995{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDC09361DFB26FE9CCA103D16732976,SHA256=6F3096C11E842E114B4D374A5846594EC0777A0F4CB661C5483A5C77FAB3BC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:45.765{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9326C50D952094EF830B76BA1E7CD4,SHA256=61B290D9336971D974848BFB8CD7987D170C143517F37B594E84B125F7FCDCDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448141Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:45.065{D694AEB8-B3EA-60E2-0D00-00000000D301}9166928C:\Windows\system32\svchost.exe{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448140Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:45.065{D694AEB8-B3EA-60E2-0D00-00000000D301}9166928C:\Windows\system32\svchost.exe{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000393127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:46.765{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A57A8F849E0DF6B757DA8ECB3E31DC1,SHA256=87F41BFE57B1F5516D7CC575FFC5174D2522C44407DB06C16DFD612DC3E7B70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:47.765{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFB1B67FEB02535BF10006976992400,SHA256=52581B18E3F8E956196015B844C2CAC477877B5B65605B02CA6A578C88FDC378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448143Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:47.010{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A602E297995D6331060DCBFDBA30D87D,SHA256=59BB7CF6E152EC5B1DA6068974072DDC24C251AB66E0B3C63C30590F6FFC1C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:48.765{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4BA02806ECCB3AB3DEF8056E152EF1,SHA256=7473BB5FBC7A4FC72CB2B044D6B58BF55C6A93E9F6AB1B01AD1DA2F02FB1E9CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448149Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:48.692{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=BC29247425827E7104AE95A52B41E1B0,SHA256=935DB1C3AA31114A1912269DD77849A9944C59F58A08C63AE90E2DD330D40C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448148Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:48.692{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=BE1188E4615622DC9F9D530F376412EE,SHA256=7475EABAC35703529C807B6DA2CE5339019CDA9C841BC1C8CAB102D4492D5BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448147Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:48.692{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=26EE0977BD2273A37A6F31B621ADA004,SHA256=A42F5426C7D3499977E95007C9D76977374F38E0221979BDB574B7BCFCF091A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448146Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:48.692{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=7DCD11FC82135CF23C0AD5542E02B1C9,SHA256=EC77DE6FFA951F7D4FFDB7254F4B74A2649A70B6C5DCDA899CFF31F859A5FA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448145Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:48.692{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=756025B3A7F09612C5F30EEB696924BB,SHA256=3FAA822904F4FA21269532D833F6C62D5E3F239043B92FA53E44F21B0A476F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448144Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:48.024{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F94C1C4328AF8CBBAFEE60FC69D956B,SHA256=1ACE25AD2D2642A127429C737C2FD646473A242B7BBB842A94B91FF74E47846B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:49.780{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EB7317280D838C7DB7C356F4931A3F,SHA256=EB930931010C67DE8797875C6C971E0149976B2CF2D4EB00C2ECE21A0201A170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448150Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:49.076{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBC43B8E64393CEC3040941A07AB911,SHA256=399CA80A46042565AB7612B40DF42A79DA57B802CB6F90F71D99CA599323EACC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:47.302{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53582-false10.0.1.12-8000- 23542300x8000000000000000393132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:50.780{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08038D55588125D189A96CF993C13D8,SHA256=AA49A2AA2BFD7A6FBACC03C8FB2C9BFB87C2CF193C02498F82DF99AF3E296C44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448152Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:48.595{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448151Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:50.107{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8824579B59F5F03626C2D4195A3635C0,SHA256=7DA32C408D7E6B9EB146326BC0095AD6DC2F1110968ADD82E1B4837A2EF2F34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:51.796{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9233950D7EA194C1E92E676D2C64D8BB,SHA256=D8E229BC3BAF6DE3071C9D76CAD26316C84E220EF1B46FDBB0A1FA21D24B8B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448153Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:51.174{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617B2F9ADEBFDA1E242A1C01C83E7709,SHA256=3B90B2E010DD8BC2D68A1E5080460AC8DB68481F43A41D032DE9C51E020B7BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:52.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9380545040E4A6DFB214275F73D816E6,SHA256=6BED4D7DFA485AC33CBBEB4A658AB9E49107DB91104696A0D3F3D61D48A72DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448154Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:52.205{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1D8AB9079AE0105CE3F4BA613AB739,SHA256=77887AC72D32B87620E6D9D87E24D76E7568D97A8D978B55E179D2142537D142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:53.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362CAA1BAA9471995C33BACBB064A653,SHA256=F877D6CE9B256D5618BA8D9BCCD7C109CD8B5E36343A60BE00BC74AF08BA4D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448155Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:53.220{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F3ED95A320F114CB37AA2E59553A3A,SHA256=DB64C5AA33F2850BC929F3FEDF8561838664CFD7B0DE50875791B75A18D6804C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:53.302{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53583-false10.0.1.12-8000- 23542300x8000000000000000393136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:54.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC7BCC2964C2B693FE9ACA60B6F8B91,SHA256=B695F754BE6212DCFE4671ABEE6DB7C469E8B8BF457F14642350FD9EE84C50B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448156Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:54.237{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B21CBB47A949806396A894261AEAFB,SHA256=1DFFBC52681828F6E819D1830E97240547583AB5499AF36B6ABE1C7B37249E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:55.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF916B07181B31B526715A83F260D315,SHA256=8C615BC54A3D776D8CD74C470A50B1B025D707BAD4718F4CBC2EF948EB584FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448157Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:55.255{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F8082161707D839D4F2769833114FA,SHA256=D914F842D14AE9CEC51C506F88D99FC2145674FB786FCB43FE51F3E9D3E96F69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:56.890{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE36708DC2CA31F33F5E07F2C636D87,SHA256=4C6EB8DF1CC6425E90B8D7ECEFB84F5E74B8ED88566D6C79943D2802087AC1A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448159Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:56.258{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CF2ACD73528ECA7C1F8C6F7CB363EA,SHA256=DD5F824BF7FA49B1C06D6F429BB279A88A40D5F4D94F22A23C3C893E29A20EBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448158Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:53.613{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000393140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:57.890{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0EE2E81150D623A6DEAA6E57EA32FF,SHA256=B56110ADE61E50D8E22ED8ADCE31AFD219F0A7BFD53896824AE59A4FDC7886E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448160Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:57.272{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB0FE5A74355242F3D95F1AEA39451A,SHA256=9CC57FECE79048A5E1B7176EA052B73D0DCC6698810D0E1323D441723DD9E919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:58.906{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4A1785716DFABE54E5E543D60D7E0F,SHA256=B8ABD09D55F05F561AB6BD65CEB050C1697667B1A831274DA24A2CD61C26CADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448161Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:58.286{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A255354014DDB7A9D91119A7757C43,SHA256=685DE883CB2F2DCCA3B089A64085D95FD9EFB31AB9803BE8AE225A04C038095C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:59.952{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D61979F6BC59BE1E267AB7F561B202,SHA256=7B06317D68AD1293217483B081CF2F72CDB75E46FB0E148FB203B5568F0E75D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448179Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.969{D694AEB8-024F-60E3-4B0A-00000000D301}65003844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448178Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.817{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-024F-60E3-4B0A-00000000D301}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448177Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.817{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448176Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.817{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448175Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.817{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448174Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.817{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448173Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.817{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-024F-60E3-4B0A-00000000D301}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448172Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.817{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-024F-60E3-4B0A-00000000D301}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448171Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.818{D694AEB8-024F-60E3-4B0A-00000000D301}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448170Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.302{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C11897B9B72CA463D5D59B94CD9A03,SHA256=AFFC41F92E4225155A7F0929B02383B2C9E6ED51A7B22649C5357EAB744E0179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448169Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.217{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-024F-60E3-4A0A-00000000D301}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448168Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.217{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448167Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.217{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448166Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.217{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448165Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.217{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448164Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.217{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-024F-60E3-4A0A-00000000D301}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448163Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.217{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-024F-60E3-4A0A-00000000D301}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448162Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.218{D694AEB8-024F-60E3-4A0A-00000000D301}1768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:00.970{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FE33577B706E6C06DDB4EDB0ACAE81,SHA256=91338D1BDC23A4BF1BB088F4409C7ABE044E3AF3FDE9A4922060C39EC1051FD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448190Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:00.437{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0250-60E3-4C0A-00000000D301}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448189Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:00.435{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448188Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:00.435{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448187Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:00.435{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448186Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:00.435{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448185Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:00.435{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0250-60E3-4C0A-00000000D301}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448184Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:00.434{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0250-60E3-4C0A-00000000D301}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448183Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:00.433{D694AEB8-0250-60E3-4C0A-00000000D301}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448182Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:00.316{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4FB8B2CCF36302B78FACC7FFBF1C162,SHA256=60457198CC738C960B4EB77BEB6A4721C5B5EEBCB07DDD69445E5318996A7F64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 12:59:58.334{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53584-false10.0.1.12-8000- 23542300x80000000000000001448181Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:00.285{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=404309AFF5023D4A1BA8F658ADE56A2B,SHA256=D07C7F1B27C201A9C38DE514D57D4FE40A5FC0EE1CEEFAA8D8927D4917CC04DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448180Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:00.285{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BF5FC4419C76534235A90BCA87A7598,SHA256=C21E407CC350CFFD4C473416828626D9F26B3F30048FCA9095F65FBC9E29F671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448192Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:01.453{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=404309AFF5023D4A1BA8F658ADE56A2B,SHA256=D07C7F1B27C201A9C38DE514D57D4FE40A5FC0EE1CEEFAA8D8927D4917CC04DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448191Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:01.336{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7453286CB51D90C2F0C5F841B14999A6,SHA256=5F9CD5831FAEAFD89627B11382BDFE7EBB974CD9A5B79063FADFFE189BE68162,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448202Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:02.935{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0252-60E3-4D0A-00000000D301}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448201Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:02.935{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448200Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:02.935{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448199Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:02.935{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448198Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:02.935{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448197Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:02.935{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0252-60E3-4D0A-00000000D301}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448196Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:02.935{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0252-60E3-4D0A-00000000D301}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448195Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:02.934{D694AEB8-0252-60E3-4D0A-00000000D301}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448194Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:02.351{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA4D6C05EA8315FBDC4B9CCE1C9EF9F,SHA256=CF0984709330CBFDF0ACA3E8EFEFFD29B8C3C47E3F99B5BCD88DF6D253A7973C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:02.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9231C6A93CD842900F58135B0B6C30EB,SHA256=0719D4A5F4879BDE3DAD5CF294ECC612E78F5CB632EC06DCEE0FA1977F9E6F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:02.720{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3323FF23FDAA04E8374DD6ADE595CE5D,SHA256=906C3659C3B000AB15EFD8C1F5D9B6D2BB94541568131942793F747E4C518B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:02.017{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43186AB134A3B22862662AB8107B976,SHA256=AFA7073BF19184AA4B83F4DE47ED48B735B365201DE2E5DCC8D0CFDDB62A9993,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448193Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 12:59:59.641{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001448213Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:03.666{D694AEB8-0253-60E3-4E0A-00000000D301}48443816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448212Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:03.513{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0253-60E3-4E0A-00000000D301}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448211Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:03.513{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448210Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:03.513{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448209Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:03.513{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448208Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:03.513{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448207Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:03.513{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0253-60E3-4E0A-00000000D301}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448206Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:03.513{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0253-60E3-4E0A-00000000D301}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448205Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:03.514{D694AEB8-0253-60E3-4E0A-00000000D301}4844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448204Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:03.366{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D9B313DDF16228BF9EC4CC4DD702AE,SHA256=06C470339D294CC237667D3685E5FF0760192D0D91F19EA11C323478CBD9FED0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:01.378{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-56423-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000393148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:03.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C551A2FED5B7A236CB70B13FEA2605EB,SHA256=8A115A3DC693E176CD35BE5294AAB9665F40960D0C7E891145E39B600B29F454,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448203Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:03.082{D694AEB8-0252-60E3-4D0A-00000000D301}59843260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448231Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.850{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0254-60E3-500A-00000000D301}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448230Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.850{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448229Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.850{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448228Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.850{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448227Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.850{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448226Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.850{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0254-60E3-500A-00000000D301}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448225Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.850{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0254-60E3-500A-00000000D301}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448224Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.851{D694AEB8-0254-60E3-500A-00000000D301}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448223Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.381{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293A4A9A47877D9A135379A58C70B1D9,SHA256=9597E9A633AF79E2080CAF9B7E3D5F8C8F873620285E9D042F107FC4C9C9A654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:04.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3AB3DA902AC9A01D092B6ED93C9880A,SHA256=5704EA8BD4AC6F1CDA3D88B37EA6D503A4BC7127E08975A744FD171DD39977D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448222Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.165{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0254-60E3-4F0A-00000000D301}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448221Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.165{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448220Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.165{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448219Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.165{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448218Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.165{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448217Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.165{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0254-60E3-4F0A-00000000D301}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448216Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.165{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0254-60E3-4F0A-00000000D301}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448215Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.167{D694AEB8-0254-60E3-4F0A-00000000D301}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448214Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:04.112{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DDB6B756DDBDC326683FEFC18E472B7,SHA256=F71F6FC5934AD5430B562C8449EBADD55665CEC1EA0CE507A8AB523112DF96B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448236Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:05.396{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117DBE5BD97A37F76E20E4EA25346CD9,SHA256=CF0871298C1F89CC96C4CC4ED72AE83B960321E25C3B6E64E078B90CC938A026,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:04.351{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53585-false10.0.1.12-8000- 23542300x8000000000000000393151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:05.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4C4A717BDC4D125FD23A7F00A504DC,SHA256=1E0519EEF1FA1B242C6EA26817E56D01A7F6BDC8B5E56830C877426CEA357599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448235Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:05.231{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96FFDA0813BD0061EDF1B2FAAB3E5609,SHA256=69051F4C34FE50D9065154E820AF92F12BE9193D1133A2EF189BB9F0BAA0B6EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448234Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:03.055{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54164-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001448233Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:03.055{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54164-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 10341000x80000000000000001448232Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:05.012{D694AEB8-0254-60E3-500A-00000000D301}61006276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001448237Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:06.429{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FDB268015D68DAF6C5D720A04FC311,SHA256=8266230DFB2BCC7F4685CBF81190F991FC45DD3F98FFECF1EDD8025ACDDE6E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:06.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB10D6F9EE5ED491BC3C99439E14315,SHA256=8D2B3B90491016FE2B1D11CE5CC030FBC416497B3BAF3E3911ABB770C7B414C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448238Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:07.446{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5772377D4B610B60097C2C57024FBE95,SHA256=D3D617613859BEDAEF7EAE822AE507E1861F72867A774ED46F22829EC8902160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:07.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819555C2C51E913DD195436CC25CE2EA,SHA256=3F776724B5694711E229DF3825E9C193BECC18B21D2A6959D67B60D8ABC69404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448240Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:08.461{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5E474370223ABFDE86742A5861E67F,SHA256=7F192801028AC33532DF95BB02B781376E42052061A6398985E86A0CB8AAC6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:08.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3E6FBDEF19DDE09782DC69107A2BF2,SHA256=148E546EA3FF024B7C47F935D8D066BABC947A294E2520D9829277C95C9242A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448239Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:05.667{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448241Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:09.475{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C3CC215B975B34B580C77A10026DA4,SHA256=DC22CDBFCB676CE94F4812123EC0C9CB994B39E1C21E695CEF2170B83AE03645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:09.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C476AB74A9F209507B8E205202BDBE7C,SHA256=BB4CF61B53954AAC8BC6E2F3F25E6E174E0B64131C7C84CADE31F3E7D664DE77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448242Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:10.490{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1972285E2D36185AE63138ECD3A2A3,SHA256=C533CAABCFAA5227C3E92C6CFBD0547BE2276E6186172CA4738B111E362213B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:09.367{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53586-false10.0.1.12-8000- 23542300x8000000000000000393157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:10.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9766AF889735F7F26C647260FA8F752,SHA256=A975A596606BC2693B460355721F795A5BE0941E0DB7D98A781F77B3D477AE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448243Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:11.504{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F82FFC0789672A893336FCBEF070EC,SHA256=9E6642E0CC1964134F688A586765EFED90D75DE1DB3BD978965737FD699BABE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:11.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F6E5C4D00817D86838547D307495D6F,SHA256=CB354D02B779741BABD70527F9A8F62FABCB26DBCF2AE10C1DFAD0A07190480A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448244Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:12.521{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C8B0BB24818B9DD023A3F98EFAF6F0,SHA256=47FF019D307C722F01259EDE78C21171F4DE57CDB2E896FEDB42A1AA09379238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:12.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51CADB4C5B42BDB56B7A87360B078824,SHA256=FCA153ACCF5866AF536B0BEE31877682C58AC5BF5B6C079BC4CB00B58921D852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448246Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:13.525{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC4ACBBC694BBFB578723674EA11E37,SHA256=F23BA842F52F8B49436E7896F4854F48C582E0B3A04240D699F595A816EDB7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:13.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6A54595AA09D5355F530FD27F83926,SHA256=C84A488ABF2E3ADCB78571F1924F7DA9DFE87F3D56310D70D724ED81E4C284CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448245Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:11.675{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448247Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:14.542{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F63C7EFF10E9F2E053AD48F4CCFA16,SHA256=CE9BBCD260E1FA7299C35596048A8A17290C382CF5FC6368F7353212671AC192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:14.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCBFC8FB241F5B3E98E4F6F18D6E8C0E,SHA256=EE49D49257D20EFC43A7E131FA1084BC6CE1B4843F20AA5806677E73C58B105A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448248Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:15.556{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3F9806E654846C4D6B99219A749632,SHA256=AABC57B48C728F12CD995600221576D6418A560F761BDBD7D4D1376116CDD5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:15.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71604102FFBF8B875FFB1F63BDC92DE,SHA256=7F9A40BEB3DE4349EE17B617408D38AE5B33C758F3776D734E712DFDE08AC514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448249Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:16.571{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E0E1F2D1EA6AA69826E7F77FBABB96,SHA256=C1891BB6A97959A4A35EF20C14A968581817C23778B97C93D89845ACF717E0B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:16.048{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AD6605DCB8545C68D83977007AA7C4,SHA256=73AD1041FBE77FF8CAD2C7473ACC97DB0CE5ED5F7BC2A2404E1309BD6566D7A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448250Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:17.601{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264EEAAB5594DCCC6186B91DECC2B27A,SHA256=A83E7EC78148C0D34AA4E3566837C3ED847D14ADFEB880ECF2595D35E297E4C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:17.064{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28E768C4331D9B054035F6C1E065409,SHA256=08980E62A9FECC0B673968BBFAE63D9B482A6360CE84484A5102DD0E811E51F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:15.383{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53587-false10.0.1.12-8000- 23542300x80000000000000001448251Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:18.618{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13B9F45804C0E4D7F4380E4363D122B,SHA256=A957AA7D3E7E0499A9368A25E9058FFE02F1495F883415683BE1EB5BDDFEA745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:18.079{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B289F455987370112EEC5094C0AE9C,SHA256=B1AAE72A6B132FA1C9CDEF182FD998A7B31C4001D032B6F7489685CDE58547F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448253Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:19.636{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AD065824BD54D26C33402B8CDF7359,SHA256=A8A8E1AA7A086AC536AB282F2467597CA4C0A5196E73CEC6D2FE1BDB4A94CB3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:19.079{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE73E024BA04A776EA1341A38D4A052,SHA256=47DEA928C97169F8C7660784848BD2E64C74EE694EC059D34226A6A393850F36,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448252Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:17.672{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54167-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448254Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:20.666{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D0EA22F5A232367B88D9B68BBDD903,SHA256=4E1585712821653D9ED9D631653537B8D99256F30981DA700C1BFBE2C3E62549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:20.079{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E402CC10B4F69CF03125EFB37FC05ABA,SHA256=C835F6CE86713D6F726EE0AC5C86D6FC26C23A96FF094F4D2426A0492E7E9D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448255Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:21.697{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E6D34718CA2EF7A48ADAA9B3D3121C,SHA256=C77988B6FD9AE4483B8B1C6F2862ADF59D8B5B66792D8A9C3F2DBA688AC5A777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:21.095{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343545A96155DC29EEC3612430C132E9,SHA256=5D2AB8C62266903F23CC2735B61A6F0E21F110466D00A126C28C946B7D7DEC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448256Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:22.713{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B11FAA0A30ACEF56EE114EE8E51E764,SHA256=56C42F7F087DD7EDEE16EAA0C02917E2686C870AE6FC05A4A96605FB57B7ED2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:22.126{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C898A1E0372FD4FB419FE1B5681D7E25,SHA256=3ECFE71968C8AC893E4FADE3BA4296980F50BF7F17C57D848368ECB50BB3A735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448257Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:23.732{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D70F504199D256B913F0B2905097E3,SHA256=5116E4888D9678DC37C629B27338078EDFD788341B047368D07A93EC18CD68AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:23.298{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08248343AB1E9351CFC6BFD10A926D11,SHA256=4AF619B5E8D8E2CEA8C3ADFC035CBCF00AD084D48223CE49B073008ECFA23B90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:21.398{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53588-false10.0.1.12-8000- 23542300x80000000000000001448258Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:24.747{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0605C2EF801B9CA4F76CAFD70C289299,SHA256=BFE907E24A7EB3BFADC5EA33B10DDAB9CC8C000EB117779150E537F55B2227B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:24.360{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871FE26B0DD295DF72E046B6A6C44357,SHA256=D13D9003F112861CEEA536AF9EF4B103B42D02888D1C90C58AE454968DDBB838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:25.579{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25A7EA262AC4ED020F88A6E445C60A7,SHA256=C23EEF08077024CE0000EC8320E610CF5CC0B444294F63866C3B64C095596A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448260Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:25.761{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A1D4C882767E8441BCA9FC32B63CAC,SHA256=E9D6ED8273D3A9E4862868976DB805AC3581642E9F55CCAA2B5E6107B21D76C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448259Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:23.670{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448261Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:26.763{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242DE8589ED3E9305DE92D2DA60E37AF,SHA256=D1F5B532DA2E7887A9418A39ACE798758FFA1E99B74860BE8A0935AA8C2E06A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:26.782{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61348D8C2ECD503230FF6CE7C9EE6CA,SHA256=A57039D5BB10BBBCC4E52AF0DC057F0F1DA5D821A0D40DC814E0E6243A5F1279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:26.204{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F836CA53D4D26A92E70A2FC40A36AC7D,SHA256=E8B8A91818DF9CF43C67BF267534A69EEE194F27149A126D4DCA54A8D0B3730A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:27.824{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB37D1352277A4643F658BE5AC9EA00,SHA256=499F817FC2130111A4BBBABC37DCC242608614087B81DEEB537C5B8446F7763F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448262Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:27.777{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2DE36D4FB9CFEE2D341E7B64DFC6D6,SHA256=6AB992BE4B7CEBBF1A92A30A548F2F1E9965E5B51ADA591AF606ADBE7D377BAE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000393187Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:00:27.745{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000393186Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:00:27.745{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0132d178) 13241300x8000000000000000393185Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:00:27.745{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77195-0x583cb17d) 13241300x8000000000000000393184Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:00:27.745{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719d-0xba01197d) 13241300x8000000000000000393183Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:00:27.745{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a6-0x1bc5817d) 13241300x8000000000000000393182Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:00:27.745{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000393181Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:00:27.745{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0132d178) 13241300x8000000000000000393180Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:00:27.745{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77195-0x583cb17d) 13241300x8000000000000000393179Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:00:27.745{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719d-0xba01197d) 13241300x8000000000000000393178Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:00:27.745{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a6-0x1bc5817d) 23542300x8000000000000000393194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:28.886{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13712DACB3E181914CC6DC26F01D4798,SHA256=C462382609DDD0F4F7C3289CFC64DE1C7056444651F701131D3E3C908CFBD51F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448263Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:28.793{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D632113B6855ABE90CEDCDE138FDE3,SHA256=D78E635E9AAA114E8AC2933CBF6D769236EBDD09675ABC49ABB47B318C115AF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:27.501{7F1C7D0B-B3E6-60E2-3100-00000000D401}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53593-false169.254.169.254-80http 354300x8000000000000000393192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:27.391{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53592-false10.0.1.12-8000- 354300x8000000000000000393191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:27.374{7F1C7D0B-B3E6-60E2-3100-00000000D401}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53591-false169.254.169.254-80http 354300x8000000000000000393190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:27.324{7F1C7D0B-B3E6-60E2-3100-00000000D401}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53590-false169.254.169.254-80http 354300x8000000000000000393189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:27.322{7F1C7D0B-B3E6-60E2-3100-00000000D401}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53589-false169.254.169.254-80http 23542300x8000000000000000393195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:29.917{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B570578026D2060ECB6CBA951AC442A6,SHA256=6625BA8FAEBE072002567CB0716CD0441900C50E5F799652E9B10506CE057A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448265Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:29.829{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448264Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:29.810{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4A01033F888F15202D44557D42CB82,SHA256=82A7F4D5BC913E0A35B3927CAA2DB4F0A978318937B5CF9A9D1947AB3306F95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:30.933{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD02E22C2A5D4F718731B5C94A82DC1,SHA256=E39450C526E48463AAACEB321DB95009CD768B613B709F9B0C3CEAF382A9A886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448267Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:30.828{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6501CF1966DEBFA24882DC14EB695F8B,SHA256=AF8723216F10C2C1D00CB3950B53494A08035C23AE09948736339E15D52CF7EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448266Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:28.686{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000393196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:30.589{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448269Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:31.858{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D5AA4EF61ECC4A75C6D22F812C8B3C,SHA256=F8D03104CC55777D231B998A09475B64A1C49414955A0F00274F94FD74E8BC2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448268Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:29.270{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001448270Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:32.957{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD168B8FF38091AA6954602AC7CCA282,SHA256=DA91F6915A3D5F96451D73991D1ACD93C2B0733D9C2477679411099D1EEC9FD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:30.752{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53594-false10.0.1.12-8089- 23542300x8000000000000000393198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:32.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3653446E0BCB764EB72551A9DFF372,SHA256=0F416D50A47A438A7A1160E6933025F1BC13BD90E09445367BB113323B149E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448272Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:33.972{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31CCB58F097EBAE8F9FA4DD9E2BB292,SHA256=BA61295E626DF9F9445A9F9C60036928356326F6A62BA0E26894D6AA2169EC37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448271Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:33.704{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F04532C8F5FE65F4A926294AB9AEAC69,SHA256=F3B742E27A5D21E59D2018B41CE8D368AB114E442540C11C3A6F40C13034DC8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:32.409{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53595-false10.0.1.12-8000- 23542300x8000000000000000393200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:33.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3922C7EDF1FFAA3416D8EC8D86FAE6,SHA256=D8A4B96683640418BF51A3516E442A41C5E133BC734BA2D0CE99765740805D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448273Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:34.986{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17F4CB7BE3B32F1445A96E969FB2340,SHA256=A9832710EE2ABBDBFE9EB88DEAB75153C660B06E4F317A67389CEDCD188D3CB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393216Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.808{7F1C7D0B-0272-60E3-C009-00000000D401}37724032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393215Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.621{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0272-60E3-C009-00000000D401}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393214Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.621{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.621{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.621{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.621{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.621{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.621{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.621{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.621{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.621{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.621{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0272-60E3-C009-00000000D401}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.621{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0272-60E3-C009-00000000D401}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.622{7F1C7D0B-0272-60E3-C009-00000000D401}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:34.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F6192193302D2C5009596C6A4E8308,SHA256=86A729B667EC3778B02AE917F0B85F94C74B250101DECE89C84E3FEBE6A66140,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.964{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0273-60E3-C209-00000000D401}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.964{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.964{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.964{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.964{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.964{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.964{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.964{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.964{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.964{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.964{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0273-60E3-C209-00000000D401}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.964{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0273-60E3-C209-00000000D401}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.965{7F1C7D0B-0273-60E3-C209-00000000D401}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.667{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A35EB8959BC258BA41FFE92CAAF1C300,SHA256=BBDDE9B2DD2ADF4F559F06F2B5ED1415E073D9F4255E48865DE745DD2E5E4A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.667{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9231C6A93CD842900F58135B0B6C30EB,SHA256=0719D4A5F4879BDE3DAD5CF294ECC612E78F5CB632EC06DCEE0FA1977F9E6F8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.292{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0273-60E3-C109-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.292{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.292{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.292{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.292{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.292{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.292{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393223Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.292{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393222Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.292{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393221Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.292{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393220Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.292{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0273-60E3-C109-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393219Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.292{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0273-60E3-C109-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393218Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.293{7F1C7D0B-0273-60E3-C109-00000000D401}2096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393217Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:35.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA316C7C0111BC6E73586B107DCA6E9,SHA256=2F5E4A0B2DABB730886AFFF97EC70D06BAC8508AF15A2F09E2F1605D9B163047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:36.355{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EFEF538BCA0210E64FBC4B6640FC9A,SHA256=CC51C02F0E81171F010212460E7278FC9F57D64934F752BBCD9A615873FDF056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448274Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:36.006{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158D9204DA129967B9734A9F2D92C970,SHA256=5C28DBD1A41C8EC108179E5A07E55C6ED0082107961D6D85FF59055308A8A0F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:37.589{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221C6D191E0B9D89D716046F83DDBF9A,SHA256=09A915E44B85524E04AD4C91E8E7D5A67D35DE99D25A206758E5C748EFB64A0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448276Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:34.580{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448275Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:37.022{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225745C1C0002F7271F33505CCC87117,SHA256=BFC3F042ADD7E16216059B0F4F36A56484FD53566A5A361AE840C0AC96068D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:37.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A35EB8959BC258BA41FFE92CAAF1C300,SHA256=BBDDE9B2DD2ADF4F559F06F2B5ED1415E073D9F4255E48865DE745DD2E5E4A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:38.605{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE88C9FEA171849720778BC2745DCFBF,SHA256=B44767006FF0F38C9A44442FD31B8F3895F8AAF60136D0823EE4C39CB572B7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448277Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:38.036{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BC1E15A54385B749C7C2DEA5AF352E,SHA256=14DC46AA1834E2219B0BB9942E8548C77E5FEB62953E9C354700B7B55CA2EEA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.839{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0277-60E3-C409-00000000D401}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.839{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.839{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.839{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.839{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.839{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.839{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.839{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.839{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.839{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.839{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0277-60E3-C409-00000000D401}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.839{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0277-60E3-C409-00000000D401}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.840{7F1C7D0B-0277-60E3-C409-00000000D401}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.777{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBC61AB2A8C0A275FEB1DA638C5ED1E,SHA256=395C4B326EA0B1BE146BA6848C7C69F1FEAA309F5B539E0A1632EC291499F986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448278Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:39.051{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B4031D5EEF3C906890D6B26A7B5E0A,SHA256=FFB7B08533B1C345CA20CE98D991D580C02A3DEB82F3A8783098EBBC7E4B3947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.464{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C47C23083FD0DFCD5657BC639B3A51A,SHA256=C4447C4C4D235A8FD9E4D0781A047441CB6FE26E3AE18423110FEFAE612EFEA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.419{7F1C7D0B-0277-60E3-C309-00000000D401}16122332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.230{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0277-60E3-C309-00000000D401}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.230{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.230{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0277-60E3-C309-00000000D401}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.230{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0277-60E3-C309-00000000D401}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:39.231{7F1C7D0B-0277-60E3-C309-00000000D401}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448279Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:40.065{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62ECF631A987D492AB4E9F8319B1DCBF,SHA256=8709DF9D4287A4CE0A4EC150E5897D49A35B2FDEE4DE80BB7FF3BB8B26AFB665,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.715{7F1C7D0B-0278-60E3-C509-00000000D401}23643756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.511{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0278-60E3-C509-00000000D401}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.511{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.511{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.511{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.511{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.511{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.511{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.511{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.511{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.511{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.511{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0278-60E3-C509-00000000D401}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.511{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0278-60E3-C509-00000000D401}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.512{7F1C7D0B-0278-60E3-C509-00000000D401}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:40.013{7F1C7D0B-0277-60E3-C409-00000000D401}33721976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000393280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:38.440{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53596-false10.0.1.12-8000- 354300x8000000000000000393279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:38.326{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-58906-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001448280Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:41.079{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBDCC970ADA17CB8EEF0DAAF8240154,SHA256=D6DEED6F16B5E2A12F235CFF207619EC59D8FE3E524B2F2AD39F1344A97C9CCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0279-60E3-C609-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0279-60E3-C609-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0279-60E3-C609-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.061{7F1C7D0B-0279-60E3-C609-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2233060ED5C1083652E323CDC8715C,SHA256=4CE9736E41C14D3892A48AC21C02FF141F92AC86180E7A3EEFBBBDF543BFD65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:41.058{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0D5D80439C1E516473D8B4891EA3E62,SHA256=03D945E502E9CBF8F844615A8CB8E3E3E9D52B16215C19066FA97B8C17528B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448281Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:42.096{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11810FB50FC7845F5C5AF508E8350232,SHA256=1C4264406C3F764FFECB0E56E4E80A37C982D4768505214B89545C799003A874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:42.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80BDD85EBD901924D9F35BE8C2818D00,SHA256=2BD4C8EAC3181BE18514AD09D1359023E08ED4BBD6C3985CF0FE1D18FC10BF47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:42.058{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B52195AAD1B4CF3EFA00A07FCF73F1,SHA256=F04C24115C275E8F3CED2F226771FA8E1DA6684BC1D10C1339A91BEC44944F47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:39.590{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:43.114{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BE08E7B490AA6A31BA6E6FAF639111,SHA256=974484A1D472F4370D81197DBC555926070AADB9DBE216091EA26D048404287E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:43.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995D50093EDBFFE12D0D6A7FEAD4A823,SHA256=8C330B56DA8A5CDF367DCB3E3D1D536C97B120773453195BD724A5E57712866F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:44.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EBC6714C509F8402EE109D3EF061C8,SHA256=D4A9087F59A298720CADAAD56A7BC871C9028A3F5409C50E4EFE4225A26CEDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:44.575{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=035960F44C5B13622E3F81362A3D579F,SHA256=B6FD89361A41A662B1FF6DAF059697AA2B8C3DF6F9694130A0435178E55E3734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:44.575{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDFAD7561AAA98D3CF92F360B2FDF4A2,SHA256=521EF04551503BE590648E549D857471D976D8142E94F96CFC2EB15C035EAB3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:44.144{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51CCB4C8407B8E313E080BA4B087099,SHA256=D5DEBA2DBC70F711F8BD4B0632CC212CC8E9AA9D1D2D48DFD27054939CCC4E4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:42.539{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-33914-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001448287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:45.159{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617168DAEE9F0F76C30AA14A908EF637,SHA256=E79D894159B04A800EA25BAE3D27A2ACDA7AA52A6E8A9B35083C6F07F3050F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393315Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:45.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7D6D455504099F96BD4C280885F2A8,SHA256=213BD02091ECF252DED60A175AC9FA078CAF42F95BD6A182B7494C270B3D9E1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:46.173{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C273FC382146EB44329ABF7D9EDDB9,SHA256=00B46708D66F12152E9E37F691517E65E2014321FDCD743F812B68B39241A2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:46.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D073D21F069897A0E55F90B58C8D6369,SHA256=B2F0F971DA9BFFBFDD8820EB13EA45F513D22152BF6C463EF9955AB3E7CC5147,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:44.190{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53597-false10.0.1.12-8000- 23542300x80000000000000001448290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:47.209{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BA6FF2CB8E2C7701A1382D2706092C,SHA256=7835CF313D96C670AAD6E147C70974BC36CBECEA0ACA2E52D76ADAF2DCB1EE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:47.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04BB6E6313CC17AAA9BA6D77B720655C,SHA256=AED48DC0060EFB5C6AFE3EF499433E25D14C4B1F536248C618DC90E7D6F60685,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:45.629{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:48.255{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA910ADFCA8EFAD2F486C6C456A4DB3F,SHA256=9813E25E71AD400EB61D0C270856469ABA26B3B8DA9D9F5E79421B813CAB7EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393319Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:48.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E3EC342F45AB93E760471ADF097E17,SHA256=6FDADB14FD5D57DFFD525219ECCC4BAB1C67F75369B69644B5DD0014A72EFA5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393320Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:49.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834C313AABE85500FF5CFEB02AC9FCE8,SHA256=4C88B6440A563434E7FEEDC8B04A3244D85F1A94908612A4F628217C3A1CB4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:49.268{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9469D6D34AA406A7A0B4847D8E9215,SHA256=B65FF33C9BA8571FEB32F96C95F560EDE961D24D125F37FE6BFBFE4D4F470211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393321Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:50.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FEBDEC0CC2F1FBCD7F83641F72A0B2,SHA256=5C78215BCCFFF98C72011901415DA4FE8BB6208DAD40D08498CA24E811277F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:50.270{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D401BEDBD2728C1309B53C3CCC71904,SHA256=A9EEAFFF34EA711AB50B4AA23FD84C3D8F606716AF8A220B1AD8C8813B644465,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393323Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:49.409{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53598-false10.0.1.12-8000- 23542300x8000000000000000393322Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:51.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C278501422ACFE18642C769FEFDD7523,SHA256=48418112AD862BE08CF49461CA2F303F2144A0887B82F861F60967248A1A12A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:51.290{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930E73762CD8AF66A613B5385DFD9C4C,SHA256=38E816248CD0AAA9EA84815DA15D2C4AC20116AF2593A7857003822E29A47ACD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:48.795{D694AEB8-B3FC-60E2-3900-00000000D301}3280C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54177-false169.254.169.254-80http 354300x80000000000000001448297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:48.676{D694AEB8-B3FC-60E2-3900-00000000D301}3280C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54176-false169.254.169.254-80http 354300x80000000000000001448296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:48.643{D694AEB8-B3FC-60E2-3900-00000000D301}3280C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54175-false169.254.169.254-80http 354300x80000000000000001448295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:48.642{D694AEB8-B3FC-60E2-3900-00000000D301}3280C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54174-false169.254.169.254-80http 23542300x80000000000000001448300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:52.305{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47266F4826B4A8556FF4A0A49AC0060A,SHA256=467E50983E719B76AAD212416FC1012F81D8FBA139E96F971A50E7CB590D779B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393324Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:52.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8F9D1FBE741DCF06ADF8B61F8FDE1F,SHA256=DAA1035306AEC9A3861C4E419AD1D61540EC328CBBEC94C35FB8BECED97B2497,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:51.640{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:53.319{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C882A14F64315FEA116CFB103F4C8822,SHA256=084FE816F6BF3B39595C734E73F21B1865E97E73BFD65930E47990986CB9A73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393325Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:53.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7125F27E0C445785E21557775470ED,SHA256=1104BA4243B357DDD17929205932D5E0D52B19352B91C6334117E5BE4DA90DF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393326Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:54.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D8FF48B774BC9673CFB9F570F95305,SHA256=13EEE3C4DAA4217CF52ED69E6C23AB2908D020FDD742ADE9D6DEB821AEF69336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:54.334{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5085E1C0BC892065B20AD359AE66BA,SHA256=0EC56935669A5B83EB63133F885A9DF310B1F59223EC50302B64010AD94AD744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393327Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:55.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77536E68F0809B3DD7BDFC350D5BC92D,SHA256=80D4B1D15D6C2034DDA707B9D5846F392CAF3F89BAA3D78ACB7AB64C78D7E0F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:55.348{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCFF0E2C393B80752CBEABA0D604416,SHA256=D200CA8687E433EA090CEE652B99D49250AFC0FD0FD62BDFB4D1EF6AE04EB66A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:56.365{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14E8D485A476CB67DD5B7E7175E913B,SHA256=C3063B7A2204DFEE837B77D545552647E0490907D7F88DF6014EFA2A432E116A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393328Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:56.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB3924684E2C39FFFF4E079296FC198,SHA256=1600F67DE1C907365F3C5E6298B97B096EB0AC475667A139E158C5E73AED767F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:57.401{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8BD92DFA86A103F8AD289CC82CA1A1,SHA256=1C9A5EA76D63436FA69B1CF5E4D86602E02C024F59B7864E5C8B4FBC611FAAEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:55.393{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53599-false10.0.1.12-8000- 23542300x8000000000000000393329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:57.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876B784DE62EC71A18C838879B75C5C2,SHA256=921E430FAC7F86869B1DA6508E44D6343897FEFF31F2182573E7A669606516D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:58.415{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D23B8FCB15A947E1B57E4EDFAE1A253D,SHA256=8110CEEE20F52BFFC4F6D42CBBF426E9536B305807380657555412E05AE14EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:58.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=989A9A7C9AF2F00EDFB140940A91EBC9,SHA256=B38C86CC6B0B964ADA3B732D07B02346A21660E5140A6AA5EAF6BF92F27EDE37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.860{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-028B-60E3-520A-00000000D301}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.860{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.860{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.860{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.860{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.860{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-028B-60E3-520A-00000000D301}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.860{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-028B-60E3-520A-00000000D301}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.862{D694AEB8-028B-60E3-520A-00000000D301}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.430{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3AE8D3EA421D4DB99EC3F46EE5E5E84,SHA256=A710BE4F30067F7FDD618DE781DCB0CBE8649086930DCF68068EFD38512328D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:00:59.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD76D3527E8DA107D13DAEB6007B57F,SHA256=512A846FB969AD19689A784FC23E5A6E07131C677160FA37CD63DF319BB800F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.230{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-028B-60E3-510A-00000000D301}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.230{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.230{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.230{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.230{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.230{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-028B-60E3-510A-00000000D301}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.230{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-028B-60E3-510A-00000000D301}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:59.231{D694AEB8-028B-60E3-510A-00000000D301}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001448337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:00:57.672{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001448336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:00.483{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-028C-60E3-530A-00000000D301}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:00.481{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:00.481{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:00.481{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:00.480{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:00.480{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-028C-60E3-530A-00000000D301}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:00.480{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-028C-60E3-530A-00000000D301}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:00.479{D694AEB8-028C-60E3-530A-00000000D301}4400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:00.446{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8216FB03E95317BBC5B561D1E30114CE,SHA256=D193D140D6E693C9011822A7B901BA50DC8D70C53B8B7252CADC671AD97B5C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:00.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CEBCE426B95B471CCB36924F406EFC7,SHA256=2D8DD48E1B62669AE24CBDD3223CD768CDD721B64EE2E0C2F1814670E77410A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:00.244{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFD08B62C8D604E1A1FEC36E6343A91B,SHA256=97A94398CDE457F1F055DD3158812231786FA087E9B7ADA520B341C9AF8DA64B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:00.244{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=035960F44C5B13622E3F81362A3D579F,SHA256=B6FD89361A41A662B1FF6DAF059697AA2B8C3DF6F9694130A0435178E55E3734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:00.060{D694AEB8-028B-60E3-520A-00000000D301}59566280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001448339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:01.598{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFD08B62C8D604E1A1FEC36E6343A91B,SHA256=97A94398CDE457F1F055DD3158812231786FA087E9B7ADA520B341C9AF8DA64B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:01.460{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D249BA8583B40F9818685360C2768375,SHA256=447A62808FA1932C85BD7AF695271366B124706A1A0C257FA56B416AF93ECF5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393334Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:01.140{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01EF11A4F44B820044F9BE0BD649643B,SHA256=AF1912F9776DEE39F0ECE4464D34109801E1DC5FC8C8A94185786DC4F8DA3705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:02.943{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-028E-60E3-540A-00000000D301}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:02.943{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:02.943{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:02.943{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:02.943{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:02.943{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-028E-60E3-540A-00000000D301}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:02.943{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-028E-60E3-540A-00000000D301}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:02.943{D694AEB8-028E-60E3-540A-00000000D301}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:02.478{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B528628E7FA5D3C9238B0C03365F65,SHA256=702D4CB6D47943D30049888BD755EB22C4480216559EFA940188580210DAC07C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393336Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:01.382{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53600-false10.0.1.12-8000- 23542300x8000000000000000393335Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:02.143{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537CAFCC26F6D3FB5D190B0303769211,SHA256=453333CF49BF9AA7FBBE5FF8C0AD9E555EA706A3D8084E16C987661ABF922F88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393337Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:03.377{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED5CE2B0C978587AFF4E718F79C96FB,SHA256=C9870CBC6C9C08372F57427B87FF2D1C14CF75831712CD54ECD786AE1ECAA8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.954{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7140678954D803434FACFD9460F20F5F,SHA256=949EAC395AE4533543616C92BB11CAF25A9A476513451F92F1E21641920249C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.810{D694AEB8-028F-60E3-550A-00000000D301}63445308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.628{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-028F-60E3-550A-00000000D301}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.626{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.626{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.626{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.625{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.625{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-028F-60E3-550A-00000000D301}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.625{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-028F-60E3-550A-00000000D301}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.624{D694AEB8-028F-60E3-550A-00000000D301}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.491{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A461FA7555B32CC700F53BD6B3FF6603,SHA256=52C9142F681EC0969832E01CE92362631A8004C6AEDDA60D683101DB6EAD76DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.096{D694AEB8-028E-60E3-540A-00000000D301}17044552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000393338Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:04.440{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCEF2425683F22D709E42DA012781304,SHA256=3807899813F8E908A3628835429BEAEAFE8B718F9202B7DEFEAC3810CB26A7F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.971{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0290-60E3-570A-00000000D301}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.971{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.971{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.971{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.971{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.971{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0290-60E3-570A-00000000D301}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.971{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0290-60E3-570A-00000000D301}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.972{D694AEB8-0290-60E3-570A-00000000D301}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.956{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.640{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73BC0B91DA02DEE5124CC52C3AE047E,SHA256=E7DB9C813C90551709DD0A8370643FE6F63BFA0A845ECE5063C7BEB25DC29A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.640{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149635290F3BC9C149040A9D1FBF6D5C,SHA256=647D580F9EAAEBAFB7C7C83D4047141E93687D9339E843375FB4679E3331B852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.440{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=4389884605AD56EC50BF27FBD4CFB473,SHA256=60B552CBA048738FE850BA958CDDF9B742B6FAA7519F455D4B39437734725990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.440{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=3F92B621E1581AD764BE2EC57381AF23,SHA256=18FBBA6D350213F61DF718195FD2B38A3B8344D0A5C22C2713E6F8944E9A9DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.440{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=8D76E0D31A687AE5A730C71C052C68E8,SHA256=6747A2FB92023CBF27E345AAC38B2BA7695A7DC5E9A42BD793D0CF6DAEAED260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.425{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=DC7308A91A03C92D7329F37F15C7AC82,SHA256=180DDE904FFF036ABD4045A52850200ACA369E4577E14E0675E5298855A6AA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.425{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=54971F1ADD787A9676F9DEFAB4C7FE3F,SHA256=FD890E3920CDFB62C1089C6119A8F8B713F81BDDAF7BEC925AFB4BDFB32AF5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.425{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=0A19E4A237D65FF069452EF5201F217E,SHA256=AC5D43328F28E2B1159D014197F58D987C2AB78C9179DCD924524353571FA604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.425{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=D95F203FEE1C8FAE222EF4C6D410971B,SHA256=1CA57763647104AEF83C8A86E8366FBBEE4BAA88C900C7AF66F437720319CEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.425{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=C0FE3CB314FDF424A4D4F1DE2801A4DF,SHA256=C4CA8CE5B3B8D038E3348887BDA7634D1949325BB95A68D17184D2A99F37E810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.425{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=8F1AF05E946BCD9711A1CDE1B1ED6C95,SHA256=0F5C8864E17307F3C8CE1D35AC4770D0C1C34F8CDB3FC7404F2114B4E0FD93BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.425{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=B91E9842F81EE5668B68C0B5B561010A,SHA256=19F7DFB5FC8E587C8D48DC8A779B07E1C11CCD772A7B68025146FF0A335B54CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.425{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.425{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.425{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=0C8CB72BD41920DDBFFCFFC9C30343AD,SHA256=C84A2BEC2E1AD44BEC21A42E846AFE4D6897F3C518A0F8C9802AC79BFFC307EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.425{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=14846E80AAA225DEF490624C38E7FEE6,SHA256=4641BCF01E4CED478ABE02568AF906D0577F39FD7E4C62E2EE00278D0A77C84F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.425{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=0439E90290ED3341FA0ADA85A4F0A9CA,SHA256=8D2200DD4A041C909B0A9F24DBE232D040B22D0455CEBBEA6E793DA54918A35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.356{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=3347BB14C5AAF001894B59DB5FF194C2,SHA256=AC6E2CA95EADBB633EED2D51173AFD504B8B1F04BFA59F96609097508D66835E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.356{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=75136ACBB23D2D7E424B0ACAEA931A79,SHA256=48BCDB86B289237CC1768FA3C703F53278266E9EB6F8367C7DFEDB731DA0FCCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.356{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=5AC2181D38DCF4E035B9673104679D34,SHA256=A446F4C4E2EC132EBEE7F220D4756A434E3AB4E86BE83E77DBE63ACE817A45E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.356{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.356{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=74340326CDB97A696E8E3A4B9CEA6BC0,SHA256=6DFF35E885CCF75F9D753991316ECC857A4B750245AFD0335D9D100C27B0234B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.356{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=2AF2C09E715BA1F11C76F8BA56C222DD,SHA256=01B09DB86C29F438F454D6D2CD99E4D7CB1250BBC2CE8C2E6FD43FBF9C1A647E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.356{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=C965F3BE99ADDAC3BB037581AA92A477,SHA256=50B72ACB8D6FE662CAA2E3F452FB4F7B0786B10754B81312932CF6949177D35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.356{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5A35E65CADA1885B6796D1B3FE56E5F8,SHA256=35A1BF0FF6DD2B70DA5F89611891D413808DDE1510D03D788FF48A214AFA7CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=E72E6B0165636DAE364CC43097FCD4E9,SHA256=3FE594D286D351B102E94676FD8A91B8FA0B3FDDD151336DDCE8C9BA2CFCFB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=318288F5909637E0C3285C0942D72FF4,SHA256=F2BB9D40F7237C0E6D8EA96DFA2E864BD1264EB191C52BDBF16488D9466BC300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=F7A173C65979416711FAFF47FADFBB44,SHA256=7F018CC32CF471750B6C5322E27E4F1C38097C414E7C6DC6AF9CF31E607431A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=5C71167AC9642FCF7752093F77FBBC89,SHA256=6714F7FBADCCB013DA1D8ECEFA6368A7D193E1F2460477F8AC304EDCF8637AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.325{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=BFED06667174B0D03EE7F88A3DDC9A8C,SHA256=7AE5584755089D28C3A52DCF1EB86E62D4F2E377D61A7D549C6D4EBD53F39B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E6AAB64DC2799B4ECC6A6D18F86BD283,SHA256=D72FA31B50E9164371C5B7A3CCA257B99CE12D900FB07DEF942361D76299F5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=16E5F327975AC215E9EFA4A4FC5262F5,SHA256=4698D628493E91E42494C8343B7E6469DFC1BFB1F771258C2FB556E84EF314B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=C3757E7620737B3B6500073B370852FE,SHA256=34B07244F673343E9AC1C775B455C0A60AA95439E83A70B0C6A24E504A88F4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=8D9E3EEEE577DCE4B0062413A081F9F2,SHA256=D0E3356B67A0BB9BD101D87FA6E23EC2699CC8A25564CD88076663DACF73A9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=2CC22CF356532158115AB8A0851A9A80,SHA256=6B106FD00C6E27909C9779448E5BDA5FFB96FE2A6FF42636A662AB411D9906DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0290-60E3-560A-00000000D301}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0290-60E3-560A-00000000D301}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.309{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0290-60E3-560A-00000000D301}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.310{D694AEB8-0290-60E3-560A-00000000D301}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.293{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=C965F3BE99ADDAC3BB037581AA92A477,SHA256=50B72ACB8D6FE662CAA2E3F452FB4F7B0786B10754B81312932CF6949177D35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.293{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.225{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=14846E80AAA225DEF490624C38E7FEE6,SHA256=4641BCF01E4CED478ABE02568AF906D0577F39FD7E4C62E2EE00278D0A77C84F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.209{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.209{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=5AC2181D38DCF4E035B9673104679D34,SHA256=A446F4C4E2EC132EBEE7F220D4756A434E3AB4E86BE83E77DBE63ACE817A45E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.209{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.193{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=3347BB14C5AAF001894B59DB5FF194C2,SHA256=AC6E2CA95EADBB633EED2D51173AFD504B8B1F04BFA59F96609097508D66835E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.156{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393339Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:05.471{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9F97F13BC7D32B3920FCFDD8C76ADA,SHA256=2CDB37F9419BCED66313FAF536687B3933BF25E816C1AD7C2AB3AA5D853D5815,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.054{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54181-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001448440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.054{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54181-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001448439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:02.541{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local54180-false142.250.186.138fra24s07-in-f10.1e100.net443https 354300x80000000000000001448438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:02.541{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49896- 354300x80000000000000001448437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:02.538{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56185- 23542300x80000000000000001448436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:05.655{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A46DBAB847FBB97E9A33E44CE0370E,SHA256=A4DA69BD522891840D4B542FFAD38A98A3E5AD377B3310DC0D6BC79F2683E720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:05.324{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D06BEB5B1568EF57671A0ECD7B79CE8D,SHA256=10BEFDD3F6FA5096154A508155D60A40A5887904678E6B931DDC6BFABE1F64EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:05.124{D694AEB8-0290-60E3-570A-00000000D301}5372528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001448443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:03.681{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:06.670{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD41144C1F59A5565EDD66997BC0C47A,SHA256=89656B98F52AB48137D49DE52026B54002C199B4B56DEE795288A5DC18BE850D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393340Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:06.518{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387D7FABF9E59EBD19126F26052FAB36,SHA256=67728E0CAE927BC1DFF572A2CB11C33FBE5E2F7347D16ECAD23FEC7E9BD8D818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:07.688{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0F9188AF75BB6719A807A98686BF4E,SHA256=4BA21D82300BC36885860456EE22067D7495DC2925062048F1DE52BF51653933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393341Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:07.533{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D06FC4E80710591B3992EAE2D2AEC68,SHA256=524DF1EE4CDC60480984F8DD36FD5BFF08634D4A3F1CEA6FB00C402FB704581C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:04.965{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54046- 23542300x8000000000000000393342Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:08.533{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E41E22E9557950AD4F5C19A7D1BAD6,SHA256=DDAEBC96BA9CF0D51C3BD96A5D2707C9C870B7F893960C60053DECF2F189743B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:08.721{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D3C28988DEFAF14ED47B21A281C689,SHA256=4E7FC25E11BCACEDAC16603DBD090F2A3CCA7B233BDD47133EE6CB8CA7D5DFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393344Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:09.658{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83745F3D4D86AF17F4F297E7340E94BA,SHA256=4B54F47A1EC9DC6742F0451A38F0E54C2CA8E0A1DE129E0B6D9EF06AC899E2DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:09.736{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C8855312843BEF0ACEFD1009F0E7D8,SHA256=C86B1AA19B732D7F15BF6B648DA9BCEAA047BA854D1AC02D41C41EC1F127150A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393343Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:07.385{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53601-false10.0.1.12-8000- 23542300x8000000000000000393345Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:10.658{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7192644B3B7DD8300417B288A3541A0,SHA256=0EDA1CCA74E9D51D7A9ADDED566E02A181E916C5E4D19A1BE51977917FE491C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:10.750{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9294C66E7AB81E365378D53887AE9FBC,SHA256=1C83F78A7EA5EFD930F0FDE54B28C32F9BD13BD85FCC5DA7A5CF0F33EF0FF4DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:11.764{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC231E9BC5F84927A8C788AADBB82A19,SHA256=4ECF0006D391A6F6CFDC34E4D768C82E05FB726744B4487598B1AEC4EC02173E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393346Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:11.674{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3BB09FB947312D7DD3CF728FB80EA1,SHA256=A7564925A5C84E6A4CF7802B617C9D374A8A942A6606983BC4D9247C741156C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:12.781{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48EAB2DE6E6B1D59E5BDD2DB2D26505,SHA256=5A7EEF406E8806A50FC75CE7CF192413E6022B27ED2FC1FDD53924DDB3CA9AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393347Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:12.690{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A2315A588AB69D60801241A62AB973,SHA256=AA2649E559EFE636DD335C1B259D022FEA59885A59BC02B52C6036662BE258DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:09.676{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000393348Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:13.690{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296ACF74688ED5DAECFE63D34FDCC3CC,SHA256=98712B73AFB63F4985F079BDD8AE9941F92AE99172F931CF9B9C15E7C68A2E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:13.846{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF028EB3E477B566F6C70A913E19B3AB,SHA256=4D8E01CF3B4DA49C71AF8ADF7EA9934CF3BAE1CA93B07E8B2C57B2AE537DFE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393350Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:14.690{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC1D9B518DD6BBA86CE03D973304B4E,SHA256=D044E5BDE2060CFB5234045B3998DA6A59EB6EAC5095767B3AB7FAD7C703E860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:14.853{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F820B3D84FF9127B3C970C4087AB899,SHA256=51414EBEC3E644DBB9202C74C55DD4C98339755CB7A5F4A1A62C99D439CF36AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393349Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:13.416{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53602-false10.0.1.12-8000- 23542300x80000000000000001448454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:15.867{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316ED603DD711BDC177FF3B2942CAA0E,SHA256=5AE3464DAB74B01EF46F8FE2C655EBED7431C26A1627CDA2324F5243016C3466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393351Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:15.690{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A0CC938FF81D10A69A6642A2793C07,SHA256=D048807479E8AB43D0848DBE38B8E73DF90DED216CBC1CC975922B2BF7834A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:16.884{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F838BD22DF7DABB2F70D4961B6402BF,SHA256=6C3FAC4A58BC86596EB61CE6CEA34462FBA27312BD6090B8A63FCF2CECEFA849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393352Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:16.721{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D074CDBA7E2121A99CA3DB3D362E7E3,SHA256=8C01553FDCBCC2261A0203382FDA68E0A4F367E5E001A0A2BEA9D50DA6C9161F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:17.902{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F535A71BC525364047818156A08030D,SHA256=089037E9E0000D3E85F39D6AD96FDA014FD8912C1600A20AA9AD01BC35065F07,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:15.691{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000393353Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:17.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDCD1902387B7464B3FCD125FE2EC98,SHA256=69F2A5B0B0ED38339CBB924D7FF7FEB23E6570BDD67C00AFCE1294CF702CBB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393354Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:18.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25BEF6A49BD84D4E15DA7DF8A257352B,SHA256=CD9DDD18581F7D6B60BF0AC0A76C2CB9A62593A3E747EEF10B01370E2F20FBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:18.916{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7AD64BD15F4E40A0A01256A5344159,SHA256=073DF8B01DAF132CB8B6EEFE74B28D62FCB7BF0F6DF0C9F811E7F17722A28E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393355Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:19.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964F4FC52C7913F5134DD46EEA2701AB,SHA256=9C34498C8C474833F0CB5BC7E7AB373C0A5CAEB21B6327ECB57BB34342350BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:19.931{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6195A7F25B48427F349A7058782DE815,SHA256=F81DA404E4D8CE0AE7E20ABD46DAF1E2E7DB8F37E65B65DD3FFE7D49150C06A8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001448461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:01:19.884{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001448460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:01:19.884{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001448459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:01:19.884{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 23542300x80000000000000001448466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:20.961{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F35E15C3D4D48A66B16371531A62113,SHA256=EA01ABE9CBFFC52BAE6A02DE1B6118CD1737DECCD3C3E563D3B1C3C524B82508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393357Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:20.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259F9E476C496BF20863C7F6AAC56D91,SHA256=49D0C5FE57B00767F0194B13DF2CAD1ADDA736D1BC41E59DBAFA50833400B5B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393356Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:19.213{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53603-false10.0.1.12-8000- 23542300x80000000000000001448465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:20.898{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2188F808D4774FA9D0A9FCB37D5DA86,SHA256=D673C3E2D58CE57F37062A17421591121E9D96D7BC8D900D07F8E72D27690E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:20.898{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4248B743BAA1B17C234F4DFD658BB4C6,SHA256=4E30D42C3F8CFC7AC9D71F639C014C81A808B582344A2850AD011214C696DB60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:20.714{D694AEB8-B3E8-60E2-0B00-00000000D301}6565876C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001448475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:21.982{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D7D088BDE3ECB80D87ED6072C020EF,SHA256=15EC7F35AE8A7340D463C4D9BFEE2A75239D21E1A6E887F66397CCC8127F0220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393358Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:21.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A27A14D7454E569E3C5A974992E95F,SHA256=B763504859A70BAF44F40835D38F1B8F5C0CBD19A488881033F4BFA823E9CEE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:20.058{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54188-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001448473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:20.058{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54188-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001448472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:19.356{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54187-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001448471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:19.356{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54187-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001448470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:19.350{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54186-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001448469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:19.350{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54186-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001448468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:19.336{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54185-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001448467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:19.335{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54185-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x8000000000000000393359Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:22.940{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6A4B705D36F96AA341240F4BCCCFAD,SHA256=DD0E444BCAD7CACDC7D80E0707B0985340BAA13B34FB4A14D842ED4A997DBB69,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:20.175{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54190-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001448478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:20.175{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54190-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001448477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:20.065{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local54189-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001448476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:20.065{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54189-false10.0.1.14win-dc-201.attackrange.local389ldap 23542300x8000000000000000393360Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:23.940{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B331A7CE43B3C3905E39A135A4E4C5,SHA256=6C15EBC967D92A4EF0F93DA4768E1038416E686256C3CDEFD247FC228960E856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:22.996{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D673C082B16FF3EC62A23F2C6A8C76,SHA256=B09FDCB8EA0D76962CA511238F8D9FFAFB88C0CF820E7A1177FEFC438FA2149A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393361Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:24.971{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A016772A0D2FB107AA4D4D24FA008C59,SHA256=A9E739461609821CDD30A02098167A7102A9B20238583DAA083C625CDFB672BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:21.654{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:24.026{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C36D72C07F114E3142B67ED0FF2D01,SHA256=3A11E500BDE730F3BEB531F09C2583C5FD2BF9D89233571DE9E43CDF9FBFF8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393362Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:25.986{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CAD347203CC4722A4A07D17F5F79108,SHA256=B4919744E32EDF24305CF6D1B7815960355DA26FD35BBFEF07E7685F5EB9A70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:25.041{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1490360E6E59F9B8C5D068D0C10B9197,SHA256=624653A19C8214B0047AA5F9F59AE948D70A94A23C1986FC962A4DF5A2B72402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448484Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:26.056{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAF6CDA1598C6B9545C5053BED9C542,SHA256=4B8570241805829CE55D165639F29B8C25BC37941E0FC5372BDF36B6E682B761,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393364Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:24.400{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53604-false10.0.1.12-8000- 23542300x8000000000000000393363Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:26.205{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2EFCD7CD28BDD5F42517E61683807C1C,SHA256=A16D44D3C74654D3E0F742FD1B68D394046DC2E025F9A060AA4604751A913240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448485Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:27.073{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3628B7F2CD8BC1F66FC1745456842F42,SHA256=8F5596DF06648F6FA9FAE0414A80070019256AE4BBE20B69F9F29FAED2C4BE7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393365Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:27.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6B81EB66DDA7C56EB79814A93AF3E4,SHA256=B354091BE4F505A94914845B1AC1E929A5641795A0124605B8E9B65F529BC588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393366Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:28.033{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FB3984E03B6C8FF7B153DD14D637C5,SHA256=B90719315C849FEE9B3502034799EE89206A9308010A3D4E8A34780145D40797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448488Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:28.753{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53C32E5CE5B7EA76163F26601C33E2D7,SHA256=744C61395F68D825E5318966742E0423EACA0710175C61E11E43DB4E24F04895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448487Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:28.753{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2188F808D4774FA9D0A9FCB37D5DA86,SHA256=D673C3E2D58CE57F37062A17421591121E9D96D7BC8D900D07F8E72D27690E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448486Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:28.091{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FEF3E7560DBB78A40227DA2A8A2F16F,SHA256=EB0E82CA9A595D9C9EDA0DE960A1992393EBEA0FB1D5728EF7C117CCFA9AC7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393367Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:29.190{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D685CF4B28525F01B9F1C7A50409498,SHA256=4FA8F0D51C5F7B1C6460D5F28A3E6CB93F26440AB901095EB75EEBF215DEAF7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448498Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:29.852{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448497Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:29.105{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043AB67112B02FEDAECE4296C6296816,SHA256=7915E79DE729893D8484BCBDB26E1A3E3C3123AA09822DB41C54D97475F3FEC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448496Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:27.201{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local54195-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001448495Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:27.201{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54195-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001448494Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:27.197{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54194-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001448493Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:27.197{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54194-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001448492Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:27.197{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54193-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local49666- 354300x80000000000000001448491Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:27.197{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54193-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local49666- 354300x80000000000000001448490Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:27.196{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54192-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001448489Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:27.196{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54192-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001448500Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:30.120{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F591C241941851C4DF8FA7CBCB5684B8,SHA256=1E6CFD981EF09DA6D25E77E443A33441B99A3FF0F5AA9DA91013C9E99BFB4EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393369Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:30.613{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393368Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:30.205{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACEFDFA1E83C57B0E97CD6F2E96EEC6,SHA256=F429ED8E002DF5D052821208E0A805E052511E5A56F1AFF1CC1F5D40C4263398,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448499Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:27.678{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54196-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448502Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:31.135{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB63A785EA9E719E7A67112DFEFF281F,SHA256=3B8CAC745DD0396FBBC3962CC89703500607B217540F879B132AD36E52A79A97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448501Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:29.292{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000393371Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:30.416{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53605-false10.0.1.12-8000- 23542300x8000000000000000393370Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:31.205{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2752314FF482E703A926F0D9892EDAD0,SHA256=100375021EC4960ACA7E0C2FE23EB1FA9193D1FB6B465B9FBB89CBBE6982AC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393372Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:32.205{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4741338C39D47F1EE69060B1D2A469,SHA256=C035598E206356948251BE27A56791C8B6C9B39D6DEB45C471CB86DD86F22A64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448504Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:32.468{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53C32E5CE5B7EA76163F26601C33E2D7,SHA256=744C61395F68D825E5318966742E0423EACA0710175C61E11E43DB4E24F04895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448503Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:32.218{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F169C2B9F88B546DA62FD0AC8E87602F,SHA256=7B12285519A445F39505E065C819BD82C77E9AF83C55AFAE1960001398080EF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393374Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:30.775{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53606-false10.0.1.12-8089- 23542300x8000000000000000393373Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:33.221{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712643C2FDBE5948D0314DA2298BEBAD,SHA256=7E59C3873212498104F5242F1E04AB045E9C68B055DD09B532FE1D30854C0EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448506Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:33.716{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=97354B2E4EBEEF9D252107B345C6DD98,SHA256=4FAC2274B30A9C7A7EBA849C01C88EEA8025B788A1E51789DC408FE0D1629CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448505Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:33.232{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C13940BAA4FE7C2BED13D49A4EFBD10,SHA256=8D9AE828AA42AF2B91DDC6A56EB72833A8E4D66B86E2C6C6E8590D79AFF3B284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448507Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:34.246{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACC9F3228605E30AFD098B1DEAA58A4,SHA256=1F91D29E909D4870193D6832E80A2FF84EED32BB9CD52D6AD10DF21AB5E6590A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393389Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.831{7F1C7D0B-02AE-60E3-C709-00000000D401}24363220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393388Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.627{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02AE-60E3-C709-00000000D401}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393387Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393386Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393385Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393384Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393383Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393382Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393381Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393380Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393379Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393378Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.627{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-02AE-60E3-C709-00000000D401}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393377Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.627{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02AE-60E3-C709-00000000D401}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393376Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.628{7F1C7D0B-02AE-60E3-C709-00000000D401}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393375Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:34.221{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA24CBD8D74E85477DC5435773034BF,SHA256=0F5E55454C0D2AECFE49E7DE5B2EF1E2F8615F8E932CEB6570B47E708FD63E5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448509Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:32.704{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448508Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:35.264{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC6F2D561867BBCB44196DDF4E63994,SHA256=EB55749CAA0BC1899EBEDEEC61947CF2EDF1BCD666A099D22692914DE7CD2B31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393418Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.908{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02AF-60E3-C909-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393417Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.908{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393416Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.908{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393415Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.908{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393414Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.908{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393413Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.908{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393412Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.908{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393411Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.908{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393410Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.908{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393409Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.908{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393408Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.908{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-02AF-60E3-C909-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393407Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.908{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02AF-60E3-C909-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393406Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.910{7F1C7D0B-02AF-60E3-C909-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393405Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.643{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=959CE69ACDEC3219A89A3F7E5FDB7D4C,SHA256=3A3182A576ED31D97AB7A3D5AFFD1B01F8536C505333EA4B00741AE95B433ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393404Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.643{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC0E5DDE8DA72BCDD1A3EBB259F4A89C,SHA256=C03C1F9088BEA5BB6311EC2230744BA5FF47C8CBB3CF0AECD5E77DF43876AF36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393403Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.283{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02AF-60E3-C809-00000000D401}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393402Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393401Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393400Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393399Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393398Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393397Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393396Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393395Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393394Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.283{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393393Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.283{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-02AF-60E3-C809-00000000D401}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393392Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.283{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02AF-60E3-C809-00000000D401}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393391Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.285{7F1C7D0B-02AF-60E3-C809-00000000D401}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393390Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:35.221{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C072C931A3DDDABC19A3E9556B315C,SHA256=E23DFECF1A6031326A5A3AE873DB3B757B945DE3AEA9554B44209C111A025C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448510Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:36.283{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209540E1FB57D047F40D893B44298DDE,SHA256=EA90D6D126D1805E1679A97CAF9BB5CE1F8E544C857B0B909C1FB28FC2273FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393420Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:36.908{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=959CE69ACDEC3219A89A3F7E5FDB7D4C,SHA256=3A3182A576ED31D97AB7A3D5AFFD1B01F8536C505333EA4B00741AE95B433ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393419Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:36.268{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDCB5BAB46C9CA409B890C0E230AE40,SHA256=E46353C541958A8966C554F81DB86F292F8D0352BA462B2BBC80A35F3589C3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393421Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:37.268{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A46337FB3A9B8C9C4411963CD985F4,SHA256=24A16E6B5911B03D1C0862141D5EBCA007F789A9261D5FF6F5F335D60982B686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448511Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:37.297{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B996050572E2BD18D2683B2B35CF9A05,SHA256=BDCAA7E98B8FC6AA531F0E1C57086D1667312850E1544418ACF2DD8DBF93DD0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393423Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:38.346{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674EECA7539A2E7D136756D1A74D000F,SHA256=BB5A8406F902D84B4CEF58E31F7E1116DA0A4F7CBFB92DCEE38F6E4CAFD0BC29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448512Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:38.311{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28830C39B3DF211EA8BFE833280EA7A1,SHA256=BD8CE7B50FFFB2B53A795E918FBB8D6B33FC379FC7E524B955FC0A17AC607F7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393422Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:36.400{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53607-false10.0.1.12-8000- 10341000x8000000000000000393451Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.924{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02B3-60E3-CB09-00000000D401}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393450Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.924{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393449Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.924{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393448Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.924{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393447Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.924{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393446Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.924{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393445Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.924{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393444Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.924{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393443Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.924{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393442Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.924{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393441Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.924{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-02B3-60E3-CB09-00000000D401}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393440Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.924{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02B3-60E3-CB09-00000000D401}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393439Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.925{7F1C7D0B-02B3-60E3-CB09-00000000D401}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393438Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.440{7F1C7D0B-02B3-60E3-CA09-00000000D401}19443964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000393437Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.361{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF6789321A6244B47C1E5435BF69EB9,SHA256=47518FB1219F65790A75526EB49B8E8FB1DC6B9AB0A78AB903C4D50EB9E4CD26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448513Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:39.343{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702F7957F3EC8C0B7E8824296DE8069B,SHA256=652DCCFA6736B6B9FFD5334BC1ABACC01C1B1781D7C9D9BCAC0B98EFDF88D88C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393436Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.252{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02B3-60E3-CA09-00000000D401}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393435Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393434Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393433Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393432Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393431Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393430Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393429Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393428Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393427Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393426Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.252{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-02B3-60E3-CA09-00000000D401}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393425Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.252{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02B3-60E3-CA09-00000000D401}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393424Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.253{7F1C7D0B-02B3-60E3-CA09-00000000D401}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001448515Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:38.699{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448514Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:40.360{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66C91B86D705FEC7555136790879B75,SHA256=9B2CDD6E82BC612CD3035AA81753421894E1E2B96AFEB7D52DA2B45B491EFC6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393468Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.768{7F1C7D0B-02B4-60E3-CC09-00000000D401}39081372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393467Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.596{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02B4-60E3-CC09-00000000D401}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393466Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.596{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393465Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.596{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393464Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.596{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393463Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.596{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393462Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.596{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393461Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.596{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393460Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.596{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393459Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.596{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393458Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.596{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393457Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.596{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-02B4-60E3-CC09-00000000D401}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393456Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.596{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02B4-60E3-CC09-00000000D401}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393455Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.597{7F1C7D0B-02B4-60E3-CC09-00000000D401}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393454Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.455{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD14E1B11FEB0684BBECF43FEE6A3BB4,SHA256=857941364AA2422CC85C152895A8FA6D545E42B8C32F9D4B50D2D8C67B802F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393453Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.393{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13DFFD75FEF3BC47D49FBF5F1E5366D1,SHA256=12EEF2847789B4885419E2997C6918355814D4EA96610C1ACBAD475FDBE7EA58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393452Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:40.127{7F1C7D0B-02B3-60E3-CB09-00000000D401}28522884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000393484Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.596{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FCC1D3E7AF00CBFAC9D410FB4D2EFE4,SHA256=86FCE764E4B5F9B995283B4C5AC033B851FE0B23D0C932EEF668AE4AC675419D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393483Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.565{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAEE38D85D12BF04125E1AAA3EE3C0F,SHA256=5DDC9CD9EDB126C2997962DAEB8ABA6ECC2DC095ACD6A38AD9623D0170368193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448516Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:41.378{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A509A6B627C52E149CE9E148D8502AE,SHA256=778B0289AE8106D9AA85F15CE18957EB78C0A83551B0EDB1C3CBEFAC94691175,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393482Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.268{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02B5-60E3-CD09-00000000D401}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393481Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.268{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393480Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.268{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393479Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.268{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393478Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.268{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393477Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.268{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393476Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.268{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393475Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.268{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393474Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.268{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393473Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.268{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393472Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.268{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-02B5-60E3-CD09-00000000D401}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393471Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.268{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02B5-60E3-CD09-00000000D401}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393470Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:41.268{7F1C7D0B-02B5-60E3-CD09-00000000D401}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000393469Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:39.283{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-62097-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000393485Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:42.783{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D27446F1E39BEF33AAD8E44278172C,SHA256=2B1A326C0CAF11C9F6DEEE3A067929572D1A46F76DBB39ADA5C283D4F42C4EE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448517Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:42.393{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3F35932D5408AC6D5584CF728D2DF5,SHA256=C08533ADE90B8364B7159802D20245E406255BEF4018B6559DEB185AAC455460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393486Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:43.783{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B244C5501C41B94AA95433955F8EC78,SHA256=89A7153D6EF483758D07D2A15AE3BDBD032176078A9B7BD580081752D01E5546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448518Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:43.408{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80A6E6500DC0F32F2C86D9FEA2F6EC8,SHA256=44827DCABBD6161A2D80569079BDA9141FB869D9E8F1240983C9BEC4B825F888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393487Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:44.799{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51534EE07CD53186A57CCDB658EB819C,SHA256=77D279D41055A445CB072E03668393A6E005D1A22D75FB317F0269561ACA17BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448523Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:44.438{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFD63C6EDDD6E23C02FC15F9D3917FE,SHA256=FD6F246656A81B2153B5216170C1FD098A03F02AE8F1DF103B6761CFFC30F152,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448522Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:44.107{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001448521Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:44.107{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001448520Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:44.107{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF133e951.TMPMD5=7CC92A355EA66A219E3148903E63F654,SHA256=CDE288AC5D74287BFA2D9257B236405535586530C59E6CD093A4AD9FE7326A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448519Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:44.076{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\aborted-session-pingMD5=833EAFCDC2C4FB92500929E4C19EBBC5,SHA256=07FD51A2B1B3FE53B2CBC93125DF1F21D46131046A64779B22DD266B1CC15646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393489Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:45.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BA4679B1826ACF3796F67F4B8133B5,SHA256=B921ADE8F699C23EB89A45107905115C416589EE49CB8D9C8422F3A1D230B77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448524Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:45.454{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD89A9F438CB6B0090CDB1764B55A4E9,SHA256=96D3A55FDE7086C9A7D89DB2022431FE5ECFCE4F62FEBA751FFB8BA02C02CBB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393488Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:42.400{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53608-false10.0.1.12-8000- 23542300x8000000000000000393490Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:46.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CAEB404C7B3B3152835AA6857FA2591,SHA256=DB929C49772F8DDEDE927F7E2FF39BC71BF839BA3BAA996AC060FB6B6AE3860A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448526Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:44.509{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448525Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:46.473{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826959C8B06E527FDA1BE736E983D6CE,SHA256=F5D0E0FDB252B87A02E735B3938FA4C0E785FCC521D8F0606752016957CC78F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393491Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:47.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8286B9578DF3060F61CCAFBF7E27880B,SHA256=29B2E62863117BF1E8813E5194DC26310516912472BBE2DB27A2897189E7D747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448532Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:47.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3025D6C4267E073170D67759CE808F6C,SHA256=DA183CEBEA41B39D63C34BA44815C9D997EF8E937FF828E6A089564DF3FA1BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448531Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:47.288{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=53E6D27A34234C6DC4FC2F4439DAB98C,SHA256=C44E2FC00C32594179804054370F6EE96212E8312BCB7173ECD36BCC5471258B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448530Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:47.288{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=6887C68F92B5A4AEE8846C6EA208DFD3,SHA256=52922D993D7712CE691E2F1A551CF102575479B12CCC792DE9C440F0E41E22CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448529Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:47.288{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=453387CB7D8B7117401FDF0241197BEC,SHA256=F668509BEAC0569603CE4CFFC321F060313BA880ABA7F64FA14F66048F257134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448528Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:47.288{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=1C8F0770E68C93F7157130BEEC57B222,SHA256=3DF7D0CA8DC3F3F6E342C4BEC9AB861E0987FAB5105865542AD888015F24177D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448527Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:47.288{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=12B5FA6D0B8614F1210BE67AB87F6EC8,SHA256=336F0293394151284EC20A4480C4E5829DE0864FC1A73ED1D46B689D7ED6EBD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393492Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:48.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B3275CB0A888647EF6CAA7883E05E1,SHA256=9C1026EF183AB835DA20EBAC53FCFEF01CA939906E9B7581151BB144A38E0456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448533Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:48.502{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613030114F568552F95ADCC74E420E82,SHA256=B402048E8610107FE08FFD420D32104CA3814A533A842CF1996AED30FFEF7C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393494Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:49.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6F036D8A9E3A9F545D62262A9E41B4,SHA256=E80AED59DC264AE042D5506375E5A917A6737A12B31196A93F955FFC9F67DFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448534Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:49.532{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33C77C1401CB98A58D5ACE29EC3319B,SHA256=8BBFDDA61385050655224F08804DF73962EFB9377E316D24D6012AA02870C203,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393493Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:48.354{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53609-false10.0.1.12-8000- 23542300x8000000000000000393495Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:50.893{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65CF915F9504ED157018077B798EC32,SHA256=25C4AD69D834E7AB03732748563ABFB783E5F483E8DE8212FF2AC67D9C8C785D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448535Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:50.584{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16AEA6AC17D57397D71C025F3408E2F3,SHA256=05F4AFCB85C5680260A0C695BA7DD7CF6AFE32182F18035736EE94E079E746C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393496Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:51.924{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E933A3239ED5E9AA8996A37C8E9558,SHA256=C58B979F4E78EF0C20790C7AE9CC4E9C316FC568B7099F33FEEC9F300535AA64,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448537Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:49.525{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448536Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:51.599{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4304E72E2598C1965A793C7F6CEBA254,SHA256=87738B792201CEB8186B05542B2AD4C7C38593F8904522E7FDFAEFC69F411CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393497Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:52.955{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDD261074AE43F890EDC94363988DB2,SHA256=2A1D53590AC91936A5915E01DB5B96903CD30FE7D1FA9B5D5D5214F93088BE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448538Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:52.629{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854BCE1F89231BB685E2C6AF4EDE5CB7,SHA256=EE94024EA8E8BADD480279B76B21A6A70709F0030103C57D9E13C5DF49988409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393498Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:53.971{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440BF57D8AEC5D6A540D14BA14660F07,SHA256=80056F834569B9DA05B19D82E0521DB93D6E6D8D1B5F6700957AFAB59CDB5BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448539Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:53.646{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582A36EBCA136086AC693A0669E8620F,SHA256=25477D0FC4867FD17026D9A46868FE2AE2A8A2B8B3C3431CD02F74E414CD1AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393499Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:54.986{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E2B8F5B4D853F9D5688CDAC332ADE3,SHA256=308C99C67F0FF4C4DB0332D5630C8331ED9AB2B48D4967F770ECEA4C6E8005C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448540Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:54.649{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC6B36EEA61B51A657993353A2C8429,SHA256=A3DCA19EDD035FA6B299636FAC5EF5D12A8DF33028E6AA56E96EDB5C6877E767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448541Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:55.664{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46082E6A133905B913AB912094A9899A,SHA256=BEFDDF320CB725F818DE4979AAA1F1E13795A3E85CB8436F3DF9CFFCC409EF34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393500Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:53.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53610-false10.0.1.12-8000- 23542300x80000000000000001448542Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:56.678{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436F766C3F77F0BE9B47D4D134C80AEA,SHA256=1CFBC4891023146DD79538E531871B5273CDE30F34DFA03F8E0FA823522BFC69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393501Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:56.002{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB11CFF1F5E64670B47621A1CC8F820D,SHA256=9FB167DB062ACF2132030D7341B652A4E79896911E24E0640CCCEBCF4FE92899,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448549Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:55.535{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448548Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:57.708{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28279B2CF161F97D357E98A67587B388,SHA256=032A3B2B64C00D622DEBFB6CC1A8270D301CEDB6FE183889038210421A6B4133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393502Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:57.002{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92EC281E74836D16E17947D1EE4B8A66,SHA256=298BEC8C653A6B7EDF1F72BEDA07852BB90CBCCF4D60AF73E8439C2904020C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448547Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:57.309{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=B4B539EE7A3F329357864BC1D66AC897,SHA256=4A9371E1BC925EAC95C18894D8964916EF24120A7DCD15351B6887749E80250D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448546Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:57.309{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=263C94760B048D38D3F8EE33FA747D87,SHA256=E619A33E6303AD45863E16ACC931C68FF225C365AE689B6279F4B1DE094C2442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448545Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:57.309{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=501949EBE98774891B7344694B7F539E,SHA256=ECC741E347909BE7ADD81EDCDFF9740D1EB53E3244A0F22872E9C6A929F55B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448544Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:57.309{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=CAD61CBFB8608478B59EDD76F6C3C86B,SHA256=7244B29FEB44DD86E66EE42CC6DE507F427CC0F461594515BD131E0BF8A16D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448543Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:57.309{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=4673850465C9D3B18ED7333143CD8400,SHA256=03C9E30B71EF6C4A3E3818F6A3D2AF37755D6E4FDE11A991A27E5C468522B0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448550Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:58.723{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6907DFB07936EA9661FF2472D468DAD7,SHA256=BBE90CF183C8EFA0743E8E8293B68DBB01122FDE8AC98CE2209160A416F6C0E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393503Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:58.002{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFE5AA99FB4982975E834C72AB25A49,SHA256=567565A095FAAE740CA4F6AC001204C60B8CF9CEF404D13DDF8C3C8597817CD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448568Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.960{D694AEB8-02C7-60E3-590A-00000000D301}57405716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448567Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.791{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-02C7-60E3-590A-00000000D301}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448566Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.791{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448565Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.791{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448564Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.791{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448563Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.791{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448562Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.791{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-02C7-60E3-590A-00000000D301}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448561Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.791{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-02C7-60E3-590A-00000000D301}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448560Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.792{D694AEB8-02C7-60E3-590A-00000000D301}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448559Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.744{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24CC897BC2403E023D4155F1B4965BF,SHA256=2504A1735878E20E216FE3CB808B652B7DD76EC7CEE866DD4C20292D882D4821,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448558Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.123{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-02C7-60E3-580A-00000000D301}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448557Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.123{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448556Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.123{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448555Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.123{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448554Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.123{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448553Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.123{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-02C7-60E3-580A-00000000D301}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448552Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.123{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-02C7-60E3-580A-00000000D301}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448551Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:01:59.124{D694AEB8-02C7-60E3-580A-00000000D301}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393504Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:59.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A94E9050F069436848D5F1255F3199F,SHA256=4D5038CC1DD1A0BBED781528D50267E9622D1E919B767532834C8D218907AF50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448579Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:00.758{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF8C00487D56BB4DDBDE2F139EDA679,SHA256=5567ECD1A20EE27802F15BABE41F472307F0D0DEC463641ABE555CBA008C8ED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393506Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:01:59.338{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53611-false10.0.1.12-8000- 23542300x8000000000000000393505Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:00.018{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5B7A005426F02E709AE768C3E32F0B,SHA256=F9D1E10C636C0FEAD0AB63EE12887BC69F400743BF2238757BBADB27901CFB4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448578Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:00.459{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-02C8-60E3-5A0A-00000000D301}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448577Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:00.459{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448576Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:00.459{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448575Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:00.459{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448574Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:00.459{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448573Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:00.459{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-02C8-60E3-5A0A-00000000D301}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448572Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:00.459{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-02C8-60E3-5A0A-00000000D301}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448571Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:00.460{D694AEB8-02C8-60E3-5A0A-00000000D301}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448570Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:00.222{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDE3F74894D0F983DF5FCC5686E54FE0,SHA256=A681FB565E8A654C66689C77E8A7D0631F875E5E6D39E4B4A77A4610AB204EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448569Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:00.222{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4753D485E361922C969A535EA6282C78,SHA256=30DB75AB9BEF6647DD5DBC5638AAAA379F39528FAD441CC9469C407F320F7FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448581Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:01.789{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5192A4F4793D11FAF7C3F012F0EB3970,SHA256=027A128C92ACF5772B068F680FBBF6DA0096F8F574BAC776C134A3D84B2AB8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393507Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:01.035{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D401A1C137B691C0E5AF6C368EFEC2EE,SHA256=9EF8DE654074BC53717D3CC813EA9E4337CA31A4F5E869F07A22A0F5368B60E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448580Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:01.539{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDE3F74894D0F983DF5FCC5686E54FE0,SHA256=A681FB565E8A654C66689C77E8A7D0631F875E5E6D39E4B4A77A4610AB204EF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448592Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:02.957{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-02CA-60E3-5B0A-00000000D301}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448591Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:02.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448590Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:02.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448589Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:02.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448588Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:02.957{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-02CA-60E3-5B0A-00000000D301}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448587Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:02.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448586Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:02.957{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-02CA-60E3-5B0A-00000000D301}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448585Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:02.958{D694AEB8-02CA-60E3-5B0A-00000000D301}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448584Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:02.804{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8162DAE88171B4FEB9B597537B6A6E,SHA256=092689C73A3A4AA1B2907DA7CB6DA5EF29B7DB16328C684BBCE38AEEF0AA2435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393508Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:02.046{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1816A183CA42CE52FC81D6A929AAAC2B,SHA256=0E4E306D25BB673FACA50A25E72D5D68DA1685E1AE92D7119F1484068FE5F83A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001448583Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:02.420{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\AlternateServices.txt2021-06-30 11:32:16.512 23542300x80000000000000001448582Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:02.420{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\AlternateServices.txtMD5=162A81582A8D7992ED213BE24E88AEC5,SHA256=EBE42B6252623CBAF3FD9F56B26AADC6DACC4B8CE8C5526BDA6DF875C266D17B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448604Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.971{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06F8658D4E3FB5E896FF451B42E54DEE,SHA256=6DF285C47CFC2E88DB523D69F27CF6C5BB8619069EF57D237F8356D2C36B330E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448603Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.840{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94388F1AA7BADA4186AF37D29155E88,SHA256=D43D9C8501F6EAEA2BB22DD788979424AF5D63496E6725F1044D053CBED55F08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448602Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.772{D694AEB8-02CB-60E3-5C0A-00000000D301}71044392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448601Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.639{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-02CB-60E3-5C0A-00000000D301}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448600Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.637{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448599Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.637{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448598Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.637{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448597Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.637{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448596Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.637{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-02CB-60E3-5C0A-00000000D301}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448595Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.636{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-02CB-60E3-5C0A-00000000D301}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448594Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.635{D694AEB8-02CB-60E3-5C0A-00000000D301}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001448593Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.119{D694AEB8-02CA-60E3-5B0A-00000000D301}46766008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000393509Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:03.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932B1CBC2B5583F6B993CBF162F1FA6F,SHA256=69559DDC3E9A4557413ED8C0E66E2BAB0E3A31E7C415D1E82B51E9910BF14A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448622Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.855{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA6E91B8B6ECBA547027421C57F2B86,SHA256=2F5F40227955159A54B04964865E61393161DD0ADE7BC0E1EC31D3598CD56107,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448621Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.855{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-02CC-60E3-5E0A-00000000D301}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448620Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.855{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448619Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.855{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448618Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.855{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448617Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.855{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448616Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.855{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-02CC-60E3-5E0A-00000000D301}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448615Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.855{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-02CC-60E3-5E0A-00000000D301}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448614Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.856{D694AEB8-02CC-60E3-5E0A-00000000D301}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001448613Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.187{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-02CC-60E3-5D0A-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448612Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.187{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448611Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.187{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448610Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.187{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448609Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.187{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448608Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.187{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-02CC-60E3-5D0A-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448607Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.187{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-02CC-60E3-5D0A-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448606Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.189{D694AEB8-02CC-60E3-5D0A-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001448605Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:01.545{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000393510Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:04.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DADAD833A314C348544F0543E547F3,SHA256=4FA8CB245BD8DBD90146A572953DD3BD37A9DB45A40E1A8B7DAB20A343ED2B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448629Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:05.870{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44350CF57A57173690EADDC41EF3976A,SHA256=35188064D729EC9C21BECADE451D79FBFEF16168AA88069220C646035DB93EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393511Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:05.049{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4218CCAF116CF61B4940995CBCCBA0F4,SHA256=00B8D43F5CE88CBF8361BF35113B9B90B29B15560260582028E07F60D0C95C52,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001448628Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.557{D694AEB8-F83C-60E2-EF08-00000000D301}6572e11847.g.akamaiedge.net023.210.254.92;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001448627Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.557{D694AEB8-F83C-60E2-EF08-00000000D301}6572www.ebay.de0type: 5 slot11847.ebay.com.edgekey.net;type: 5 e11847.g.akamaiedge.net;::ffff:23.210.254.92;C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001448626Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.059{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54204-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001448625Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:03.059{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54204-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001448624Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:05.202{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1F51FAE46E7C12ACC0C2B43243794E2,SHA256=C33B3DC4EA2BBF747991EA4CCB77AF0E858C6C1386E53EEF7BAF3526DAF44F40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448623Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:05.002{D694AEB8-02CC-60E3-5E0A-00000000D301}55604484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001448634Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:06.884{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981A32449156C71A6C3D02C4EA5B6E60,SHA256=FDFC422D76A90130F5D9BDD501D0117B97812653582710A244FE1EF164E0EE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393512Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:06.064{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03685AAD48FB7CCA49B5267F0CFA3118,SHA256=494F66E6AA62F959DE8541C18006C75687483C8A80B496E6C80796D7B9F20D73,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448633Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.014{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local65298- 354300x80000000000000001448632Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.014{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58327- 354300x80000000000000001448631Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.013{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60652- 354300x80000000000000001448630Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:04.012{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63349- 23542300x80000000000000001448635Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:07.899{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA895F0DCCECF11326E486883C7EE978,SHA256=52ABB3A0DF38E3DA7CD3706EBFE7B113AC01D158A482F045FB5A1D1D85945302,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393514Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:04.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53612-false10.0.1.12-8000- 23542300x8000000000000000393513Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:07.064{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0AA50A0623742D9FC7AAD7A9C603CE8,SHA256=189ABED427D7DF95ACBEE121FC8472A9A5C185E97ECCDD8E726C869556866A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448636Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:08.913{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB003E025E6BE7992D795C85BC3B744,SHA256=80D4E1D53037824204E89DFBFE7467EF9F1CE739B7B86706EEF897ED2DBF2F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393515Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:08.096{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8887FFFFB5D1EFCC2A4A6B0F6421D9,SHA256=C8F220C0B6542A9ABFE93B4D2B87431E785876CF85AA430FFD621A6E255B6181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448638Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:09.930{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF8F7C8012572FE53F440C64D280D0D,SHA256=AB1E1E4CA6FBAE1A4A2EBBAEF5FA88C88CC38099B2F630D046D0966B7C572DCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448637Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:07.570{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000393516Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:09.096{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEE0530287D1E79816DBAE485D85783,SHA256=47C0913E5332451F4EE35FBEC4FC4F36FA5C66C02BA245BB5707EF484F337705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448639Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:10.948{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49237250A7231649A5DF6C63532DCC28,SHA256=A28C2CE1EE7C53334D25010BDEC3D55AEAAA6A1823B0119DE307BC73AA737606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393517Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:10.096{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940E7999A79036259F0FF18FE59D1874,SHA256=37701DCB043F888F4B40CC3449E794B3C4EEB04FA00F1D47E40CCD782DC1AA7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448640Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:11.963{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3547EAF84E21DEF1A5B9E8ACF50EC933,SHA256=530E7EFFD766FD8F9DE76454E017E739F358083C20F148B2AB0B0C35AFD0F33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393518Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:11.096{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDF8344603EB5FF3EA7C3C4779251A7,SHA256=DC391D52712071B5DC8DF530AF0F6C6570D421C6116FC7C4BE91DFA3110C4753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448641Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:12.977{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0870641B72B94794D2BEA577BA255CF0,SHA256=A2D6307AD83EFD56EAF29E434635E3BCD6BC4C57C47D80C54E43ACC1F4A0582F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393520Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:10.385{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53613-false10.0.1.12-8000- 23542300x8000000000000000393519Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:12.205{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24748EF90A9C66F6C90CEA40D0DFD66,SHA256=D62B2CC3DF90B5BF5AB3904AF924A07233DE3700168E00611D5DC69E604C0F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448642Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:13.992{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021478EEFFF420486D870C5C173B74DA,SHA256=1E64D4A09451A47B205B9D4CE4E008405F7E73C8FBA1BBBA046665C53FA0BD04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393521Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:13.283{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549D8E1F1B08DB8F1D000D7294E802EB,SHA256=B8487A6EE9A0EDDE44D182418F23BD249E832016CFDE69692CDF6337B7E61FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393522Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:14.283{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE983E2C07A56845557B4B9B85754099,SHA256=379FC6E3F682C1A16AA23C4260F7938C8C4405A123ADD2A8D909281A9F4EE6D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448643Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:14.544{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=619669F0AF245F364B3104201FD3B882,SHA256=A30AA1B7E0D146C326E3EFEE38EFAE666918009C62B49686C745C965FE55A213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393523Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:15.283{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F669851D2D2BBD2CB65D396AC3D833B0,SHA256=319AE8963BC177639BDC8886869E1E1B706089CCF1D06F177CC3152877410BFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448645Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:13.578{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54206-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448644Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:15.024{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A36685B87F56C85E76501E5E056FAE,SHA256=C23D726F23A7B998B66E5FC98E3E7CD817A528AFA10CA774974F7C316C7CA926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393524Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:16.283{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0694E3E3A7E564E00AA19C2F23112690,SHA256=47A0C5EF362CD31BC06258414DD5797DB7785101245DE9DF0180C8B41FC76DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448646Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:16.089{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CE49B4F65C96CB2B4E7D5EF18B4DE4,SHA256=72B7330A33B5999EB1700AB1CF3C531FB529EA95498812F79AD3C91434459113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393525Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:17.283{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C169C7408FDD27F0CF541859976DBD1,SHA256=44682D313CFE67B12093F0359C3464DCDEB46968C685618C68AF9701C580DF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448652Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:17.372{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=2A84CABF7BDCB0FE22B93A9EDA53B5D3,SHA256=6D2ED4329E0948E8A105E6D32E8CEFCD2B62439C7B768105EAA5632DB8E515F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448651Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:17.372{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=23EB9DE013193BCA024720166BFF4B8D,SHA256=9791D13F3865671799C791315190AE104DDF35F84AC292FA50081BBBE4171CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448650Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:17.372{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=8E8AA5EBF423B62F6CE0267EBAB701E0,SHA256=3245EC7FFB8ABBE6CBB7BCB64D29D85B9E6FDF91204110D78D3104C159B34F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448649Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:17.372{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=6E235A9FA7659F9C0694B1699D7F45BC,SHA256=85174440DFCB19E78532C5C9C37F041B656B857FB0C507CE5E1DBA99CE427682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448648Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:17.372{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=4484A42C3CF5652A875EAC098A4FE226,SHA256=B9CD75543D80BED9E19B127E9E9A1150D9AFF037339A379185047C2DFD0CBAA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448647Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:17.104{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A7B26B318EC96376E79777AA40D832,SHA256=C0C559F402D4148810D0ABF24FC8950B7D83175BCCC133396F7E8B8754B09088,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393527Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:16.416{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53614-false10.0.1.12-8000- 23542300x8000000000000000393526Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:18.283{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D87DF4EC778E1275E6D668848959D4,SHA256=B46F3BD2B145E6326D75581D818D71AAE71C33E6C9672272B14587A0BFE2B362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448653Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:18.123{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7F034CD1ECB0355FDAAF304D4C9356,SHA256=ADDF7C29629810927F5C36DE96DDEA35B84B4DC40167F481009D66268B653C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393528Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:19.299{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024D6F1669084FB6AB7529A31C7F5195,SHA256=29E020FB782676F63EC7CA5A346CF985F0A6C5E0261E13610AF6818179162417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448654Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:19.154{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64740FB125929B13CBD55731A7DF3D71,SHA256=E1968412065193149C8475137CA26EFC6235AAB211C4723973C784F1ACB8F164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393529Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:20.299{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0F1ABFCB4A827196BB4A8C9613E571,SHA256=F597BC78D2C5E682F8F75003C7907096B4B22AC3D2772B61A4D74A99197C0E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448655Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:20.169{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AD256E7C9BABF2D2FAA9DC969B44AF,SHA256=03B006213D086A2621BC9CBF74E6FA043E45BD54E8523584A373206CBE84C753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393530Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:21.299{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16FF77AAACD2A888575C14058D4D033,SHA256=D319BD68C073578EB2B4F46E36102044375F081E01BD90E6CA6AAE036C2BF329,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448657Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:19.609{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448656Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:21.184{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D0DF2EE901C3D84A2F004F5E9946C0,SHA256=A8EDE2B94FF7C7205486840D517661A2F16E9749DA4EF3453A21BCACB527CFA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393531Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:22.299{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83EC3B9DD743D2C16A5762FCC07E437,SHA256=166711AE252CC50EF9F190B6B464119795B2783E126F8FC81F0BAAD856C1C6C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448658Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:22.217{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B15686B8E3DA038AC3D047A8A58CB3,SHA256=78ED0BADB46508964549DDDD3D9BB34AEAC3E94BA8ADC5C0F909297D75EC4E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393532Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:23.299{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1B1DC88CC6AE73E2F26C719C515868,SHA256=2FCE1F22995369B2359657EE53E9243C10E552FEA31E3A29A98BB4C537F5C8FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448659Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:23.250{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75DB06067B62C1CB5371FB65F3F0C8A,SHA256=63E347DBA3DBE05422F6A372FE118C559D1E4587A7911106256EC7413DBAEF58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448660Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:24.264{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F964EFA51F8BC5170C3F0E477A98DB,SHA256=123AF27DC1E89D03EEB7EB5285419A18A54C84F22AC5E79920F19BA788D3C1ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393534Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:24.314{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BDAA8A207C5062644087564CAE7A12,SHA256=00BC4A4942ED1513F240BA101B7CDA852FB10EF49AEDF34460F2E022A24DF878,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393533Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:22.401{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53615-false10.0.1.12-8000- 23542300x8000000000000000393535Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:25.314{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B29C1702B643E3028644072E3896B4,SHA256=FD6B6DB682DC03B6A59A2AB81909F66C9855EE601F1E98BE9FE54BBBE74C57A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448661Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:25.275{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A996761A83D7CD380A90D2B7E745077C,SHA256=A56EF3E74A2E52AF764B401EBE61BF8F686EA422325D708F0031E4163A001E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393537Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:26.314{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AE23A43512D7473581DBF374743566,SHA256=5B1163424558E7335C32CED5F202DE4F0D5B90B022427A96FCA7344BC7CE50B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448662Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:26.278{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5561C94827BB8B3A60079ED8816CA7F,SHA256=1EB26658CACB1CC44EAA7ABCAE0893BB04E89C09796279AADEB17ED03B6EBCEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393536Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:26.205{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DE4892B1BC9FDA51E4F9B019B96F8D5E,SHA256=020E88B6AE106D98E738C7A0355D05C0F99EA1886FEDF1409756BEE72D4D069A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448664Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:25.601{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448663Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:27.310{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F67FE95E7FC0F0A26CA95EF1F7A2BD,SHA256=A5D5FF68B30DEAB45A52BDA767478A74409F300F08C904C41E2E1EB20F31A0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393538Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:27.330{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0953146B435DFFF29256720CD6187A6,SHA256=73C6B66C053FAA8F99ED8BAB530B2B0896FA56378768CEE9E82FD28737EE767F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448665Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:28.343{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F451E1A3FB0F103FCB95E7F99FA013,SHA256=178ED5DEA5EC1D236230C4327336D8F1959C13F09D9816AE59812B3F3938E738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393542Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:28.330{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CA4A8519C6219504F6301F85A906B4,SHA256=36515C3CB232B96659D16A29BD05D19A3579430D18C797A9A7C6E7D0F96B9B4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393541Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:28.221{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393540Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:28.221{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393539Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:28.221{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001448667Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:29.874{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448666Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:29.374{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6AA485A9CFF1920AB500E0932BA2E86,SHA256=4F67A240AE242B1BE9C63BCCB4E70803B35E9140CEEF20C292234BB57B5DFD86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393543Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:29.330{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333679F337AA2CE4FE400A1B7E5F7E45,SHA256=0E48BD1C03FD1FE8EE26B3060BB3F845A3D6D7E97E82497F2FDC35248874A3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393546Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:30.642{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393545Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:28.370{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53616-false10.0.1.12-8000- 23542300x8000000000000000393544Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:30.330{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ACACE2E9EF5DAC50DFB941D20E8BAA,SHA256=0320FF829B8B00B8A6C4393556646394E840BF41894A24160EB2EE6A4B1DB3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448668Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:30.407{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B2F5B89AEAF6BDB683B049CD39E1F7,SHA256=BD837B8CCC46B5157C95A3A60B53785FE3525C5926FF45C3E5F25FA1A2F23730,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448670Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:29.314{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54209-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001448669Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:31.425{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526C1645E39E5F49E301982078669B32,SHA256=E927E09A507D2470F2A3AFB7DA5A35AABEAC3D4C0A0FEF22A12F77F80985ECB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393547Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:31.330{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9914525127BA002655205BADE53E78,SHA256=38DF2F33724E74041E1A3CE86A8764AB5BD15F60C1CFDB1851384E3E546EB235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448671Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:32.440{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0906B38082EFDCE3E2888B921E1225,SHA256=3AFB0A7AC2E286C7B8D680D5012996F8B3FF80A6D3BA69FCC7501A84C63F5FE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393550Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:30.807{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53617-false10.0.1.12-8089- 354300x8000000000000000393549Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:30.400{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:884:baa:f5ff:fef0win-host-884546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000393548Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:32.346{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE1C07E221A8F2043624AE059F3D7AF,SHA256=EB053BB45B876380C9F89D539F3DA17551FAB3317BAD5FAF050912DE1CE2CB64,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448674Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:31.626{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54210-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448673Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:33.723{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9A76756885DBE9FB4CBFED0CDC0F11A6,SHA256=0D7A612473D41EE26DB343CECF5F24B8C050160BB61630D1D560FFB0310BDFBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448672Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:33.454{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBEC864FBE314B93D7E28C32CB06730,SHA256=DE2FE47AEBF497D33A1CE9651B8F71CF34E4E4737D22D0D163E06144D3FFD464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393551Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:33.392{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3A19117F092166C03A05405ECFFE6A,SHA256=0B53144803C85CC47B77FA084D25651FB5D13E73DDBBDF7C065C303FDF889B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448675Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:34.468{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C65CAD135D31E898057EC0C7C07B50,SHA256=07107283E1E68FE8B5547F58674159ABCB2B452B7EE739E9EF384E3AA6D924A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393565Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.627{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02EA-60E3-CE09-00000000D401}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393564Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393563Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393562Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393561Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393560Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393559Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393558Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393557Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393556Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.627{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393555Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.627{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-02EA-60E3-CE09-00000000D401}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393554Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.627{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02EA-60E3-CE09-00000000D401}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393553Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.628{7F1C7D0B-02EA-60E3-CE09-00000000D401}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393552Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.486{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6DB77E9876DDD6A715A7E206C2A88F,SHA256=EA7581BB4B855532245D57665C37FC1504060DE01F2BBA647D42D1ECDCBFFF5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393595Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.830{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84D656CFA954E45E6ACF9C833C359517,SHA256=980DB5F6762BFDE600168748AFCF7A6297F5828CAF74B57A34CC3D9DE79FE377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393594Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.830{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911E67B78630E69B141F1796C41829C5,SHA256=5640A14497A9FEDE8A0D38BE977906FB8933E67DB541E0AFE55D14897FD24596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393593Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.830{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C6BE435B3C35492962525BE66E7D95C,SHA256=695419AA20764EBED19C9041747E09B823B446C85FFE4B2EF52F33D84549C221,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393592Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.799{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02EB-60E3-D009-00000000D401}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393591Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.799{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393590Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.799{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393589Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.799{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393588Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.799{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393587Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.799{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393586Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.799{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393585Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.799{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393584Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.799{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393583Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.799{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393582Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.799{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-02EB-60E3-D009-00000000D401}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393581Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.799{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02EB-60E3-D009-00000000D401}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393580Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.800{7F1C7D0B-02EB-60E3-D009-00000000D401}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448677Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:35.501{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33896D040E5770FB288400C6772228EA,SHA256=820B1BCDA3718341ED1C8E6831AD64A70AF3471307FCA0B297AAFF70E0833221,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001448676Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:02:35.036{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7719e-0x06034b8c) 10341000x8000000000000000393579Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.330{7F1C7D0B-02EB-60E3-CF09-00000000D401}36562880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393578Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.127{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02EB-60E3-CF09-00000000D401}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393577Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393576Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393575Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393574Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393573Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393572Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393571Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393570Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393569Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.127{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393568Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.127{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-02EB-60E3-CF09-00000000D401}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393567Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.127{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02EB-60E3-CF09-00000000D401}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393566Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:35.128{7F1C7D0B-02EB-60E3-CF09-00000000D401}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393598Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:36.846{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3E21D1154364D6595CFE840E0401FF,SHA256=50C33B6299B5528C299C3CC6EE34823FC27916268B3BE7E9BB34D3392AC33E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393597Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:36.846{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84D656CFA954E45E6ACF9C833C359517,SHA256=980DB5F6762BFDE600168748AFCF7A6297F5828CAF74B57A34CC3D9DE79FE377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448678Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:36.536{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69B45D1C2D12E155618E93A7E24D028,SHA256=C1485B7E39A32300CB91EA5B46475C4F7623F8BB1E14360FBECE2D3F1DA5EC8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393596Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:34.386{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53618-false10.0.1.12-8000- 23542300x8000000000000000393599Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:37.846{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C294DAD008BE90B670CC36C8FDC3EE6,SHA256=64BF06DF0E15BBE427B324873B8002BB6F03DA261D8CA4DCB94C2CD0EF056F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448679Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:37.566{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405FBE6AA315CFB91F6DF1CBEF406B30,SHA256=F5786A9A4D7C355E8C7906A8E7E5CCA6CED7962037B547F6F135C0910D522630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393600Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:38.861{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3930D06BA576B764F697A1BC77FA6B3C,SHA256=A925F263BB2AEEA049AA59CAEC921D67CB93290546765739B87FE79D9B4DFF5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448680Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:38.580{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9357A50F0A6E46F4DD2D518BAEF4DCC0,SHA256=D848635A804FF59503056F51FFB999B42B7943D5D7C268A39E40EFED156D7224,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393628Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.986{7F1C7D0B-02EF-60E3-D209-00000000D401}3940860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001448681Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:39.597{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B602B6D7368312F84DE634C222FC1725,SHA256=1341CEC1D2102DF3052AB5DC7D26723B09F6D37DD8B728CF27E0E1911763D725,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393627Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.752{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02EF-60E3-D209-00000000D401}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393626Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393625Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393624Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393623Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393622Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393621Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393620Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393619Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393618Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393617Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.752{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-02EF-60E3-D209-00000000D401}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393616Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.752{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02EF-60E3-D209-00000000D401}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393615Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.753{7F1C7D0B-02EF-60E3-D209-00000000D401}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393614Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.486{7F1C7D0B-02EF-60E3-D109-00000000D401}6523232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393613Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.252{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02EF-60E3-D109-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393612Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393611Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393610Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393609Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393608Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393607Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393606Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393605Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393604Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393603Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.252{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-02EF-60E3-D109-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393602Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.252{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02EF-60E3-D109-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393601Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:39.253{7F1C7D0B-02EF-60E3-D109-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448683Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:40.616{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C456F68D83DFB7ADEEA53ECB0535269E,SHA256=2B129E202BB29E8A6046F9388F3E5C8AB0C5F250242E45ADC9856F4726D66592,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393657Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.752{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02F0-60E3-D409-00000000D401}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393656Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393655Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393654Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393653Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393652Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393651Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393650Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393649Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393648Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.752{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393647Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.752{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-02F0-60E3-D409-00000000D401}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393646Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.752{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02F0-60E3-D409-00000000D401}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393645Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.754{7F1C7D0B-02F0-60E3-D409-00000000D401}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393644Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.471{7F1C7D0B-02F0-60E3-D309-00000000D401}38522876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000393643Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.392{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=014DA8D0F160BBE0D54D080614ACC70D,SHA256=AF670A19E670D0FC2261F463DCA64A7ED25E90C46D6BED9480C898845E54C322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393642Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.392{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028EE450ED5020DBF0BAFED47788A739,SHA256=6FE4258357C347F72A29EC44D8D722BA22B2E0B588F24985093F05C94926BEFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393641Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.252{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-02F0-60E3-D309-00000000D401}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393640Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393639Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393638Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393637Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393636Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393635Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393634Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393633Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393632Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.252{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393631Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.252{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-02F0-60E3-D309-00000000D401}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393630Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.252{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-02F0-60E3-D309-00000000D401}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393629Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.253{7F1C7D0B-02F0-60E3-D309-00000000D401}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001448682Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:37.652{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000393659Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:41.814{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F03332CE46EE6B12F3DBDD45152377F6,SHA256=8199DA45E90E8D489F8BC40438C9CF9B4A94B484961683B08ADF3B7CEB926732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393658Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:41.533{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56486284BA1F11D52F96AEB921B3E60,SHA256=DA327C6D2F5F53E48B472ECD805DE50C64A76E3D837CC740D62571B1B30237E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448684Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:41.631{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDDD8836F6078FF0FD21E27764F3A1E,SHA256=736E09E533E1006565CCE8970BD963C4EE63E814D57BA3889EAF8184B8C3D51B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448685Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:42.645{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9278D16CCA0B1E75E2DE15F1DB53AD76,SHA256=23E9D592992639AA3C7D3390B6B7497274293B6AFAB6E9AECD35CA20914641F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393662Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:42.549{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09AB6BD0AD30551A46A3E6D7D628E8DF,SHA256=FFD3EEBD207A2E422008C86F182E8B3E4B8135F8556D37FA001C99878BA9B6B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393661Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.862{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-49989-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000393660Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:40.401{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53619-false10.0.1.12-8000- 23542300x80000000000000001448686Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:43.660{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285BB4A3E79142F4DBF26DA040C9C144,SHA256=2458065E49C863DC8CBD5DE3111F93B7D99FEBAAAE1FA79BC4F942757625B9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393664Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:43.596{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EEF2210A368A1A4B5CBF4942743E15,SHA256=DDDC2C31662B5188B017451E3E83CEF9DB73D9AE4A17C8D9DB5E46DA4E645654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393663Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:43.252{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=883BBAE3AC447BD14F25BA939C206D42,SHA256=721542512B2EB7A6FAA3D003907FDDF330F781BF31DC859ADC93009E686A7786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448687Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:44.674{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F148718C2D18050A4BBA403BF1735A,SHA256=4891CBD86DE08D2D2356706798F6CB76D1C17AF10E2E9C43826981BF990B32B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393665Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:44.611{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4241D9FEE75C5CFFAE426794B1D7D4B,SHA256=C301ED3F2FB21BA974ADD34C7286ED308FD705C3189AD6B786A4FAD575AE33B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393666Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:45.658{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6364B688A510FF0B89FC964C945F1F,SHA256=8A58630AEC1C3C2EE213998A329733A20CD42523D4AA489B9E8D67A755B11D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448689Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:45.692{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EEED672A8E4B0CB8F17D62EE2DCFE2,SHA256=8608503259AD96339226844DAE322AD10F6F7A4ECF2742377BA98529301E3C20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448688Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:42.700{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000393667Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:46.674{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F8E8DE15B74B54129FFA5270F1BAD0,SHA256=72C7EBC8E815164277CED28A7563C51BFEE2ADDD1BFE05ACCF465BE2F67CA628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448690Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:46.725{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2342DA4EE2103D6EB0C7902EA00ABB5,SHA256=60A2F0B01733C570DCFF24000967ABDC784F7CD9A0C7E84EBA83346DC40528AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393669Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:47.846{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B5A7D973E9253C02B102513BFF7EB2,SHA256=C9BA977B5CFEE4E7A778B775D9251C259D017FE4FA22CBAA92DE409D180A1D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448691Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:47.740{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71358B69A5AABB55C7E7714330A48D98,SHA256=7822696AC716EEEE64A69F41AD43C66C7373318C538B7F6FA7FF1189EE758DBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393668Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:45.402{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53620-false10.0.1.12-8000- 23542300x80000000000000001448692Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:48.754{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84757A593A1B19CE37183DB8B2EC91D,SHA256=26F0209CF7E62CF0229386B01C8FECC654A27A093A9361AF7F33A11689C5C5D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393670Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:48.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65BF23D2EF455EB3CBA38068942C177,SHA256=81C94E59BA85A0577FAD53280CB9FCCC098364B8D34419739135EB3E95D7D362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393671Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:49.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AFF0EB8D209617E4AB99F7068BC1D5,SHA256=DC42D2179FC2B2A25E45B5785B014897D4C48603E1A34DD18D37FCBD8EC2A826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448693Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:49.769{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F134974FCC6B933DB9E6896678671F13,SHA256=FFF4EBB11D1186F33C6B160C72A9C95E213892A80BDD4EB99785BD961BBB27BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393672Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:50.908{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C681BD2240F9F87B72F83E0F4452CD32,SHA256=556B5347F18C01BCBE2EABB9682A69B4C68F1C9A04AC4F216A7D15E7E89AEE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448735Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.821{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18EAB8659036D897CBF6FD75730BA2A,SHA256=116725082F1E997FDC4CBFC2687E976DD55F421447F7441307D4809C3836A08A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448734Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.368{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448733Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.368{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448732Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.368{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001448731Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:48.463{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54213-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001448730Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448729Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448728Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448727Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448726Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448725Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448724Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448723Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448722Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448721Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448720Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448719Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448718Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448717Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448716Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448715Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448714Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448713Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448712Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448711Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448710Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448709Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448708Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448707Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448706Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448705Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448704Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448703Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448702Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448701Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448700Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448699Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448698Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448697Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448696Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448695Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448694Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:50.169{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000393673Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:51.908{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F4DE39F3B266DDBF9D73809222F224,SHA256=65EE01FD4D4674BA63AFE19AFE0E15D20B4C04379152ECDA534848AA33BE2490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448736Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:51.852{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F67A9F05D30D0274C418CD962F9DE46,SHA256=B4487287D55F41F657D6928F33A3345E223BB4638EAE1029996CCB388E48A9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448742Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:52.887{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11472ECC3229270C5C38F4BA7526C67,SHA256=4BE8044BED297932EAEB0B99CCB630A625942FBFF9221956798E04BC84AF12A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393675Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:51.417{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53621-false10.0.1.12-8000- 354300x8000000000000000393674Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:51.110{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-7493-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001448741Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:52.467{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=D0FD3284B6E86A26D190D3D4ED1D2A1A,SHA256=89EE027D0354C9C655EDFC59506E64B9F81B7CE94747871346D04C35AE48E1DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448740Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:52.467{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=B2B97C9AF19BDC370B5BA8C2C6091E51,SHA256=ECD69172374A9206FD5919412FAD75E22E1BBCDC705F64AD077C1E6B6005EA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448739Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:52.467{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=DABF15C66A77A256D4252095A94ABD9C,SHA256=4EA4B20487182BB4A76E8987BEA20A2DE70D5B77A43F1BB7263C59B89708D372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448738Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:52.467{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=0AC9FE5D036EEEB4CCC789586B995C9F,SHA256=B5A9E18969D1A42607A7027E992EB615C511397AE1601CE66E90081D64353B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448737Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:52.467{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=886028BDFB31952EBE521EDFC5B206FB,SHA256=FB70333CCE7180E65CE67809D3F7AA4CE445A555470BBD7D9E09ED5947DBD755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448743Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:53.903{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A69D3A9274F08A1AE5315FBC57C4DE,SHA256=7EEA35AFF2A752C948BBCEDF9F99866E7C36C78892E2A04CD660E9D3A500180F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393678Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:53.330{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C717928265C19E3FFAD8431E2D30EBCB,SHA256=082595F5A9B215228E2D98A0F818BB688050F8F1BCD1D7CFA2029BE8B058FF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393677Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:53.330{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=615A534651C68649A011E5F020D3B152,SHA256=B4D0226697131C505A40BA1E9FD22782D5764CAEF48720448F4E0F58F340044B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393676Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:53.080{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187AB0F204ECF6CBA1368E450AF3194D,SHA256=A3745F9C719337D2ED0F7BB3B02765F457535ECBE62CB4623FDD1CCD822CC062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448744Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:54.917{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FABD2782DBDA6FD06210D06190E5B0B8,SHA256=CC2B8B90DC46BA2596C4C7463DEB896127483D2FF0ABC37184FED3A043C2D3C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393679Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:54.158{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8491AC921DAA4B1C59794B716FD1273,SHA256=EAF31161DB6EC0A68BD14156166A58EC0648A00A08BA558EBA89AB03E72A1782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448745Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:55.948{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FF6840D5B4C710E2DD2A37EDF0914E,SHA256=1FC7D2E7CF9B7533C9F39ABF94C474908055DA215B5D7A70FA0D9D08EFC40E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393680Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:55.299{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7E9F6F9385D7BA21927302D7AAFC7E,SHA256=9AA79013877671123ED791ADF36E5F887650702B0CB27687FDAF00E183868D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448747Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:56.962{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDAA621994297B64257AE59BE713428,SHA256=B4F04DF610652B5BB83F439EB1C01632C765FAD458BC6705B4246ECFEC5C92FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393681Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:56.348{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6198E4CC91084F6C95E06D81BC6A4B1,SHA256=E45A43B94D626B295EE1927F8063FDAE591EF0793C4032FDA43D7B6520820C13,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448746Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:54.489{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448748Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:57.979{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2C480F8F1CA7D6767C006612368DDE,SHA256=00B6D1A40702EEC6D278946633D1456600E86309C4837067E38918BDD40A37DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393682Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:57.408{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CEB59B12BC32E8A2B5433711922F9ED,SHA256=722AF54343F45B3B42F901F253B38826965654184B6D146AE7AA46DA7DA177E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393683Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:58.408{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9747E9C47C28E1EC0FF81CF981777859,SHA256=057FEDE3F0F03C5F52309CC37E7CBF1FA9A397A019E879AB0B5288405BB09023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393685Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:59.408{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87291C9003C82D4A572CFA01AC2B3DB8,SHA256=9E8327AD0423571F21A233E7442F4D2E129D7B6BFCDE0180163D5E933AE331AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448766Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.996{D694AEB8-0303-60E3-600A-00000000D301}26965180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448765Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.812{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0303-60E3-600A-00000000D301}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448764Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.812{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448763Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.812{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448762Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.812{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448761Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.812{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448760Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.812{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0303-60E3-600A-00000000D301}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448759Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.812{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0303-60E3-600A-00000000D301}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448758Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.813{D694AEB8-0303-60E3-600A-00000000D301}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001448757Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.129{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0303-60E3-5F0A-00000000D301}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448756Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.129{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448755Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.129{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448754Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.129{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448753Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.129{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448752Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.129{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0303-60E3-5F0A-00000000D301}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448751Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.129{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0303-60E3-5F0A-00000000D301}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448750Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:59.129{D694AEB8-0303-60E3-5F0A-00000000D301}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448749Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:02:58.997{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FACD695B8D304FEEA6F40259301DB6,SHA256=7BA119D18A194C425058908AFF5947ECBEDB00345FD6F2295828D7F084DAD9A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393684Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:02:57.386{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53622-false10.0.1.12-8000- 10341000x80000000000000001448777Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:00.380{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0304-60E3-610A-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448776Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:00.379{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448775Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:00.379{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448774Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:00.379{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448773Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:00.378{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448772Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:00.378{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0304-60E3-610A-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448771Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:00.378{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0304-60E3-610A-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448770Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:00.377{D694AEB8-0304-60E3-610A-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448769Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:00.280{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEC9E870978441CD4A2EFFF702BD4477,SHA256=F029ED939D8A7A4867AC6CE3D2540E8ADD069654DD35D585C9E65E1ED3E5F6FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448768Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:00.280{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBB323B5326362B87F5EB376CF145133,SHA256=D4E236FF753095C828CE6A3EB3313E140A631876EA2E1C1F695C7E9529F2726D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448767Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:00.012{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14194B78CAB2A0D8D303747F8EEA8A1F,SHA256=AF83C63E8D6C2C3495FF856D04BEBD5461C9590815B3752BE8986BFCFFCC188A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393686Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:00.408{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E228CBEAEB5E72DE9A40B79FF40CB2,SHA256=5C483C05474E0DC126C521E07E9C303BDC977F0636CE76FE347D65A7011CDFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393687Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:01.408{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6F93C1C3E0D933331AB7B9022D0E24,SHA256=BE53729A380859A8412CBE6079347179DD37FAD5546600D1CC07187D2EE4367F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448779Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:01.395{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEC9E870978441CD4A2EFFF702BD4477,SHA256=F029ED939D8A7A4867AC6CE3D2540E8ADD069654DD35D585C9E65E1ED3E5F6FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448778Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:01.026{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8DD59DC08F1C736E3A7E576D359A7C,SHA256=A776E4F65BFB509100D1253632E8AF563AEE8B35E02D0B2249AF36F368E8B660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393688Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:02.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC196C9FFF96A183E967C8CECE3F41DD,SHA256=ACCD6C1630D819F664377FD47FBD56A8ACC1E7392A95B56913345FDE2AD32670,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448789Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:02.977{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0306-60E3-620A-00000000D301}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448788Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:02.975{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448787Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:02.974{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448786Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:02.974{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448785Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:02.974{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448784Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:02.974{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0306-60E3-620A-00000000D301}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448783Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:02.973{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0306-60E3-620A-00000000D301}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448782Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:02.972{D694AEB8-0306-60E3-620A-00000000D301}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001448781Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:00.498{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54215-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448780Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:02.094{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D2378CED5E0BA346D09C352BCBEFF0,SHA256=0082D1B162E72839050ECF49553B90616A99BC83CEA647AD9A9E58BA8A2D7909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393689Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:03.423{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BC8B26961A991FD31EEAADBC84B83C,SHA256=2F0322F8FB9A64E26CB2A9BF3E3CFEE497DF3A6DD32F078D4700AF1F840F843B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448801Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.992{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA1398058306FE07BE7D9FCE64D63E40,SHA256=2C5EBAACA247DB4B80ECC5E339B3EB8A1569D6B92181A6DA9DB9CB30B683B2C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448800Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.824{D694AEB8-0307-60E3-630A-00000000D301}71166484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448799Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.655{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0307-60E3-630A-00000000D301}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448798Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.655{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448797Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.655{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448796Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.655{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448795Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.655{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448794Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.655{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0307-60E3-630A-00000000D301}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448793Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.655{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0307-60E3-630A-00000000D301}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448792Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.656{D694AEB8-0307-60E3-630A-00000000D301}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001448791Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.140{D694AEB8-0306-60E3-620A-00000000D301}55964712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001448790Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.109{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB99222E39593F6775A767C5098B2356,SHA256=AAD26B3498E4FFFC49BD636F7C754CC53D5EA55FC4890269EA50271CB7643DD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448810Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:04.323{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0308-60E3-640A-00000000D301}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448809Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:04.323{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448808Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:04.323{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448807Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:04.323{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448806Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:04.323{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448805Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:04.323{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0308-60E3-640A-00000000D301}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448804Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:04.323{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0308-60E3-640A-00000000D301}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448803Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:04.324{D694AEB8-0308-60E3-640A-00000000D301}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448802Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:04.155{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC48BDE2F565F2EB072280F919FE605F,SHA256=F301CE2232C3148E3B991EF78F49CD89A51AD70435C4553D5092F797D6DF4318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393690Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:04.434{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9030350146F1BDC85DC0D2AEEC9A766,SHA256=17E5DAB75775CB9145BCA2516A252602DF4CE969F5A647E1F202EB58470814D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448828Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.064{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54216-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001448827Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:03.064{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54216-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001448826Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.338{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79088C99996977ED47FFD5A5A775341C,SHA256=11CFA9253DEFC6B3FC66F3F89093A4105155541B5D83A212FD8D190EB033CEDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448825Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.239{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=A5C580DF1318BAA3CF1DF8955F85B881,SHA256=D5E5CCF3407DFE51DDEDCF442C1978BF85039AF957A8E7242BEB0AEA48B289C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448824Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.239{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=361204F9F584B1B723AE6E552172E4C4,SHA256=F83479B57607D8F59A6F3AC7C12E2D993DBEA69D9BCD9DDA0F50FB7DC9E6BBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448823Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.239{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=9ADF7BB8CA9299C55A97A6CC3E188074,SHA256=A073B6004E73E426D21BB678836FE8C8A0CBD262F90F34356927CBC482AA09D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448822Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.239{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=3027218304320CC11B9D17E20A9B82C9,SHA256=7B67445C45BAB48661F81C873F43D719EECF60A486657BBFD424AEBE8AFF6088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448821Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.239{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=E8D783938B0576C3016D7A2F51964805,SHA256=BBE161CD92296F71F7EF757024F06B73F74FE532A6DD633E712A84970DD1FCC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448820Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.175{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF978043F9FF2A961AB3BF872F085279,SHA256=00D831254974262A40CA7818813AC22BADFE168FE8CF99B071A99FB79877B02C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393692Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:05.450{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6AB2023B5550BD61BAF85AF1EED3B43,SHA256=11B4950CF725E5DF782D31B4F315D34DB08D00AADAC019469E2DFDE5E007AA06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448819Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.153{D694AEB8-0309-60E3-650A-00000000D301}46523752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448818Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.007{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0309-60E3-650A-00000000D301}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448817Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.007{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448816Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.007{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448815Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.007{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448814Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.007{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448813Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.007{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0309-60E3-650A-00000000D301}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448812Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.007{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0309-60E3-650A-00000000D301}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448811Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.008{D694AEB8-0309-60E3-650A-00000000D301}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000393691Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:03.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53623-false10.0.1.12-8000- 23542300x80000000000000001448829Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:06.206{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3458F9AB97CF68003F891B630F58D8,SHA256=1B8BF1C858D108DF48C6494AD50B2BBF195A7C5AA70D89654DE17946AE22686B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393693Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:06.450{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCCBD0CA04D226343874E269973946C,SHA256=4195D6B1338D1E204F88541F5B8E592167D6C1B51117A9BB3B4EEF481586EEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393694Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:07.559{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C052241A2C10563D1A04292C9076AF,SHA256=9914B04C74E84BB11A30C5F8FE1218C0F6124CBF4EB6F9673581FF62F3A0A468,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448831Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:05.509{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448830Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:07.236{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B7194A765CCFD6B7BDDF7CFB14CC0F,SHA256=AC78E6A317DA8F781DDB8CFA6534F66337FBB1FCE65747CDA3C4D7D9303256A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393695Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:08.559{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD7E24918757CBB39FFC7A49AABBC7AA,SHA256=8AAB6E6486D046C6DE338D451F85A3382531760C887EAE1EA42A3BD70B5D5596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448832Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:08.251{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180454BB50223CF5A70DDF0F4785C776,SHA256=9A071888FC5198AC0B553B5B62641C9EEDC4DD72694E7E7082068CB716BCA6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393696Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:09.560{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1731AF4772345DE4D3E4661F274BEEB8,SHA256=738DB2CEB315E9EC22F4068866C36A40419C231C42FC8DBF6B51F27F889108BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448833Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:09.268{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7953353B1166FC741B0DA149E0743AB7,SHA256=47FD11A7AD63E55A93D47C3D69FD5A3140AD0992F54F3FB9E3FA954C526005A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393698Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:10.575{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302A7F6CDBF71F822315B60375721FEB,SHA256=A46B151050F2856CC43B8905D1FD37C252CAA073AACAA42978E088BBA5F2A405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448839Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:10.286{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11ECCED9C1CEF7763613460049CBD88,SHA256=13804A49C8A8E2D01F83E1EBF5A544EA9373EE0B2BCE65E30C8472EC40D41091,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393697Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:09.365{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53624-false10.0.1.12-8000- 23542300x80000000000000001448838Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:10.249{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=6CBB1A218F17CFE9A84BBA3A49D62C28,SHA256=7597FE6ACC40D2F34A520DF5240E8F221956BFEE513AB3664CA47F2B47E9A25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448837Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:10.249{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=6752DC585B083FA2E17DE178E385AB1A,SHA256=CFAE7C4D6B15EE8B657AF88E7BFE2E6ADBF84FB27746557D5289E70932D7A8B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448836Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:10.249{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=6C01F3CBE181DCA6AF7ABE6AE36C4BD0,SHA256=7DAB981E2113125CC3156F595D0732C32931D3E4188F99B49785B185416FC7CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448835Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:10.249{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=F0BF6AE3508708A13E85BC13F170902C,SHA256=820CEC466CAA3CBB7D219D93926F41031F100CC95C126CFDF47782ED44BEF2AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448834Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:10.249{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=B3C6DB9E62C1A4D0FE3779FD12166685,SHA256=7AD96B710A8F80FDE7DD925F9ACE7E52D28118157D0DDD5BD072D0DF9418223A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393699Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:11.575{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E1147172C16624681BD5D7DC2B75F8,SHA256=2218FCD17637938B916244E689E4CFBECF715A7ABD4AA932AB93906DBC4865E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448840Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:11.301{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D5B99ADBCE3AD0AEB2E921ABB3B62C,SHA256=7D965CE4F88247CE1FF603BCD14E305B9BEC5056880D7F9C048A3B069EC03156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393700Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:12.732{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8206B3509CFD049604238EE5E242CADC,SHA256=4467806F94917B1202010E6F756CF626C69B04668BD74049E5398647074A251C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448841Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:12.316{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CD2BB09C409CD080DB7550299FC78A,SHA256=BB1D917A2536667F96B54C104AB8DA36BB67CCA93029766D2BF14372838149F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393701Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:13.872{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C905AD2DE1D5ED6E194483AD89E0345,SHA256=F096110CF13F189627DF3611C66C5A30A9F8AFF35638A9836F5002671272E06E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448843Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:13.330{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5796D49AECB794BEDBF1151F95E2259C,SHA256=F5EEA04DB29A579E3B1E1E629761C9A4381C24F2BA4CE3A3DD3892C32C60744E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448842Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:10.542{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000393702Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:14.934{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48836CF787DA23FCF4B170730AD63467,SHA256=8A6B5F6CBFC094211109524F7D89D365C640E5D81352AA9048E0A3CF4D71DBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448844Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:14.345{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C7877C599D453A4E0B52CD23CA63A8,SHA256=0CBDFF339C9AAC1AD2A42A288590E5BECBA6013BDDFCCAE22C056699DE38E36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448845Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:15.361{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D12774F31C82E1054747B1CE4DB884C,SHA256=8D412080A81A13CFBE8EBC3149EFB84130E96402007E26691FC551454F54EE81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393703Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:16.059{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16DB2FD49CCF7CCA402D66D5C04DF20,SHA256=9CFC963EA01D466340695A94ED613A8D6AE5911B1117FC2509F7D815970D8A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448846Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:16.380{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3123008B54071BFE799D65631BB748EB,SHA256=35CF08259031AF2EFACE103E6D26EB79861375BC57581672C60DCC5B80C23B43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393705Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:15.397{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53625-false10.0.1.12-8000- 23542300x8000000000000000393704Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:17.106{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA08B562B262E3AB5A08D338A5547D2C,SHA256=02DE35F621E54A7DF31DB939D0BBB22E1695C234C60647384A47AF75204510FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448847Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:17.394{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8B56FA1004CA7F92249CC48E8F374C,SHA256=2476FB687746AEE7DC4DD5642BBDDAFF899D5B256C787DFC5EF90AE0C6C114BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448849Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:16.566{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448848Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:18.424{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C576CE38D128BA3D95167F09F9CF8641,SHA256=A6E575FC4E45D8A77C6C828C5626DC417200A2F5B05FFD4398D8F85AAE5975E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393706Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:18.106{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DC5AE611E27DBE6D2D583E166AE84F,SHA256=E661276CED1DC1D6B1343E2FE8C0B884F6A4DB39452269F1139007DE66EAFD8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448850Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:19.440{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FA2B62DEEC4F8F0EA9566A07208096,SHA256=A5A5FD544905CAE4B01D23421C540E57DFC1DD79E2DA39D4D757511728D1E3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393707Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:19.169{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3860FEA9FCCDF17D068C631A6799A6B,SHA256=6E5A5BC56DFE984CC568EE470373C138928DEF1F62B620D6CA4F42CA3385E331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448851Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:20.457{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1879C2724810D1403D6538A254C2ACA,SHA256=24F6BCB4C52C84A8FB796DA0F2F184058FEA498BDE763143CC0FA9D04833EA13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393708Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:20.294{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAEED8AFC2DCE789D3099E218B3E4910,SHA256=9761BB612B6EC5DA80B76AB5403C3768D4A7CE7C9512A91F10100EC65C971AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393709Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:21.309{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57CA432E353BDF20D13C6BAED3087EE,SHA256=A10D5A8CDDF49CEDEB1A7692FE48AC660A6729840A4B5C261626411F599EA4F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448852Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:21.490{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B273A2F418E7D8A931CD21B069E3CA7B,SHA256=2196295A63656A0A36FD8179AC49B6618616929580F2987D898362A66CAC2A4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393711Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:21.350{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53626-false10.0.1.12-8000- 23542300x8000000000000000393710Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:22.309{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD1576225660C376045E3029A29CD12,SHA256=59B8972D608F4B799DA519D40C79AD9E92CF8E384BE7F4FDB4AF1436EE9F3CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448853Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:22.505{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB220FC78C7EFD5F5619EC9858FD960F,SHA256=AF81A40F925A22BCF80685B3DBCA3C5CD1BF8E26FF912DE81EF516BC28C72D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448854Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:23.520{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C10E739549A946510AC2DA89F74BCE0,SHA256=D5A11C04B28211054A2755BDAAD5E078DCF56E273710A206521422B4954E4BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393712Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:23.310{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524C99AF6A4BBBF850B079982E3A33AA,SHA256=4811216535E6335AB4922E496A44BF67986EE3BFA37F44162542A08BBBD1F465,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448856Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:22.607{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448855Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:24.552{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C88021CD3AB1F2849940C2442717BB,SHA256=5CF96AD0055EAF2A9C9F94ED29E6E793AA96D07E9DA5E05F55C10DDB04D53ED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393713Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:24.325{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B3FBA00D94EA86A1E6693115A58962,SHA256=32C7FDDE8A254D67B14F3378C35E67F3E2D260E7245FE0608324078B6A439F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448857Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:25.570{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F383729CA0418610BAB1170F3007829A,SHA256=A38B35E2A8827C26EF47CE4DB939DDC5C71FAC2FAA19886615364F99E0A63FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393714Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:25.325{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED02F133981C49D877671871511A6CE7,SHA256=D26377CEAD4A8BCDC4C4B0481754F72DC655AD76F08451FD87ABAA6A3D469BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393716Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:26.325{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A05232930B8760820F4D4B948FFAE14,SHA256=D1A6A3A00F7424ACD91CE30A7C2D47A3FDF3273B07305E4B96FDE4FAFA75568A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448858Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:26.585{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EE0B59DBA3B87BF02DD3F152062A89,SHA256=F59130C3D54126DBC3C706168711FF6B439583D3DDFB116FF87B65ACA51DD670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393715Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:26.216{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6997E2E945CA3CE7AC032D09AB65F332,SHA256=ED8B32A9BF9FFF7A361A4C8F2E24155759588CC00995AC456D3BC3A6E26BE7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448860Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:27.594{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578D78D38AF51E0BDD6BA8E354780716,SHA256=F5304AAFB510F42CBA256E74A74995D9EC9C9D3613143D052E279CCAAB7DC79C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001448859Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:03:27.594{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7719e-0x2556f3b4) 23542300x8000000000000000393717Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:27.356{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F73099B4F6B960CFE1F979A50A6A89,SHA256=A37EB0CE6AC4B5EDCB224DB1DF90137AC5C9625337B85DEE695D2125D491815C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448861Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:28.658{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8BBE92ECA926DD9F70C10257AA481A,SHA256=A522C0F88BB8EE0B5B4B54FC6F857C9AB5258B9F1179BE2D60247A545F93D8BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393718Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:28.388{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944A9A3FCBB8B472242937A35C4BBA0A,SHA256=9DEE872C4930794FEECF7416D5D3C2822DFA8A8370DB7FB2DD650CB0502E9862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448864Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:29.892{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448863Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:29.676{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4B421501DCCE54A118D9FF1CC9D3C0,SHA256=6A64DF99AD37F6867A90251F9D4488AD0006A5649C9B2CF3244F2D4A96BF6EDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448862Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:27.033{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-201.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x8000000000000000393720Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:29.388{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81086D823EAB927D08CAB2688CAEB33,SHA256=42A5211716AAEFEA8D2136EEAA9583408676FD67392F17DD02A03927D70034DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393719Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:27.319{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53627-false10.0.1.12-8000- 23542300x80000000000000001448866Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:30.722{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FBFEBD57ED7F3EF39AD87EDB68AC1A,SHA256=EA501561F870877EE084278C36687C3DE7BC0822123C2876E07684B5CF6A2B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393722Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:30.669{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393721Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:30.450{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC31C16F9B16E863A51DA596C8596E19,SHA256=0B4D42D2C528DA67E743145BCF914539BBB7D498AB589A60C97B34D24282C7F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448865Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:28.595{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54221-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001448868Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:29.332{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54222-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001448867Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:31.736{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD42D7B3DFBB68FEF559821143C6E37,SHA256=D19B964CE3364EFB9B4CE9D1CAD40CCA8ED9EF32574EB7CAAAB2D8B71EC95934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393723Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:31.450{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8046627531A3FD2A5FF8D461EC6E8A,SHA256=BB22BB0DA1C9245CBA2A984772ED2F6DE17E9A4BBD61C376F262C6DD7D2F724B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448869Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:32.753{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2B99FA26538B4DDA78340FB10F8244,SHA256=4FBF9D302C8B29692AFBC3FA1E46BAA6F49A4269C18968D7ECA63015C2B4B9DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393725Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:30.834{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53628-false10.0.1.12-8089- 23542300x8000000000000000393724Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:32.450{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43F01F5A42173A073F55757D1AF7F7A,SHA256=249978FC2039B034B57E2A47548AA71C39CF47D76FD931BA8FF3A15A2A34AA9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448884Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:31.570{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-28072-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001448883Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:33.771{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552FF8106922FACEEB36CF5C07F6C424,SHA256=21FF12BCB1A017FE000D40614553852DC5C8BD6D432B1E7ADEBBFB29BB983D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393726Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:33.450{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045D38FC20C9F06B213DF850E2A58104,SHA256=465ECEC13A7BCB6B82DB944C02AE5C95B6E51E1C7AAF0C24EC48FEE68C37383E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448882Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:33.734{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=701F9D04A2706CC70776FAA26260E64A,SHA256=F6EB8C88174FF68934B23F416C6133197687624013B68A4E5504A691B2A10251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448881Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:33.372{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4822B110757E0C3B34F9896D35DD967,SHA256=4EB0976C234775334B31CBD6A34B50B886A0DAEB249DB0CB952093868102F3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448880Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:33.372{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52180F54AE948317ED13D389E652430E,SHA256=3F6FD97A429F7C0B6A06AE62DD0BE89AE3D3077BC4E242568FA756B925AA8AB3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001448879Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:03:33.303{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001448878Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:03:33.303{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x013593e4) 13241300x80000000000000001448877Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:03:33.303{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77195-0xc67b3ef9) 13241300x80000000000000001448876Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:03:33.303{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719e-0x283fa6f9) 13241300x80000000000000001448875Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:03:33.303{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a6-0x8a040ef9) 13241300x80000000000000001448874Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:03:33.303{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001448873Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:03:33.303{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x013593e4) 13241300x80000000000000001448872Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:03:33.303{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77195-0xc67b3ef9) 13241300x80000000000000001448871Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:03:33.303{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719e-0x283fa6f9) 13241300x80000000000000001448870Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:03:33.303{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a6-0x8a040ef9) 23542300x80000000000000001448885Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:34.771{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A2590EE47C4AB601547725EF4D8227,SHA256=E00EAE2CE32710612F246ACF6272AF2DF2C24807ECE004FC5BE5C311A3D76AF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393741Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.809{7F1C7D0B-0326-60E3-D509-00000000D401}39082712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393740Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.638{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0326-60E3-D509-00000000D401}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393739Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393738Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393737Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393736Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393735Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393734Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393733Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393732Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393731Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393730Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.638{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0326-60E3-D509-00000000D401}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393729Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.638{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0326-60E3-D509-00000000D401}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393728Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.638{7F1C7D0B-0326-60E3-D509-00000000D401}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393727Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:34.450{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0F97CDE0666E5DAA8C1961F851A413,SHA256=35A881A07854E3E6D64B7BE905D6E9FC3E1A35DDDDAABC7DCAB4BC30171A9B4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448887Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:33.606{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448886Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:35.786{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83F8158FF80B9454F6666856C5D9BA2,SHA256=2F143124D37D586B7D1EFEF5F7872FF3500DBE8A345B073F1FBBC4777E1C6112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393771Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.919{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BB8956A0F4E47D31716B16F9BCDC5DD,SHA256=3370168F0258E640C5078810ADC6AE18FEE30175D501845110EA0DBE4AC20975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393770Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.919{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C717928265C19E3FFAD8431E2D30EBCB,SHA256=082595F5A9B215228E2D98A0F818BB688050F8F1BCD1D7CFA2029BE8B058FF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393769Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.919{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EE4CBE713B1329F0EC86B4FEB46CD9,SHA256=8E65A477DEBDF050D1FCB48375FE4612AEC8F3AF5E2D1C50E0A492D805CC2C5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393768Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:33.303{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53629-false10.0.1.12-8000- 10341000x8000000000000000393767Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.810{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0327-60E3-D709-00000000D401}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393766Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.810{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393765Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.810{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393764Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.810{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393763Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.810{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393762Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.810{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393761Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.810{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393760Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.810{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393759Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.810{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393758Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.810{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393757Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.810{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0327-60E3-D709-00000000D401}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393756Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.810{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0327-60E3-D709-00000000D401}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393755Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.810{7F1C7D0B-0327-60E3-D709-00000000D401}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393754Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.310{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0327-60E3-D609-00000000D401}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393753Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393752Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393751Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393750Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393749Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393748Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393747Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393746Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393745Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393744Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.310{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0327-60E3-D609-00000000D401}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393743Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.310{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0327-60E3-D609-00000000D401}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393742Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:35.310{7F1C7D0B-0327-60E3-D609-00000000D401}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448888Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:36.801{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D5A36758DC4BA612BEDB5735B05D7C2,SHA256=F3D2F3ADF3FCBEA33EA66068F03784299D4C15D607CC4769820A267BDD5359C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393773Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:36.903{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB068066F0466F48666F2DA386CD3ECB,SHA256=02C94604DE6F1F457EBEFE0ABDD9432804F4C00DB767FE0C72863FA5E3CF1C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393772Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:36.872{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BB8956A0F4E47D31716B16F9BCDC5DD,SHA256=3370168F0258E640C5078810ADC6AE18FEE30175D501845110EA0DBE4AC20975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393774Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:37.919{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18EA770C06D719C0F3B9AD2593AF343,SHA256=9FB9409539C6C58FAE7AC488CD2C717AF4B33CCA5C882BE35DBFA89BCDBCDE9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448889Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:37.849{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41465051CBA6D42BAB953F52660CEDA,SHA256=B3A94FE22F81C6EA488A2AF791E4FC5C4C4C2971B87AB2AE8500101D73EAE29D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393775Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:38.966{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36695B7B9D5F50D39AEE328B95FC38B5,SHA256=7AF450FB0D6D63568FA8E3FA78114F3122ED8AC5CF4CC79F6817A3AE2F1FEB73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448890Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:38.851{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C0653AA64C5E887AF4A50F78920867,SHA256=CEBA531429FF777516296006C2E929B13A6E79B0E419BB375D40DA1B826FF3F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448891Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:39.867{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6D75199EFF3A1C804B62C93E432054,SHA256=0D5D9BCA8600DAD0D64A5E0CDDD2CA8C743E8853FA0117A66324DF2BCDD8AFDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393802Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.763{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-032B-60E3-D909-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393801Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.763{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393800Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.763{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393799Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.763{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393798Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.763{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393797Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.763{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393796Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.763{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393795Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.763{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393794Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.763{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393793Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.763{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393792Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.763{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-032B-60E3-D909-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393791Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.763{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-032B-60E3-D909-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393790Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.764{7F1C7D0B-032B-60E3-D909-00000000D401}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393789Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.481{7F1C7D0B-032B-60E3-D809-00000000D401}32003484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393788Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.263{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-032B-60E3-D809-00000000D401}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393787Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393786Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393785Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393784Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393783Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393782Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393781Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393780Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393779Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393778Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.263{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-032B-60E3-D809-00000000D401}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393777Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.263{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-032B-60E3-D809-00000000D401}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393776Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.263{7F1C7D0B-032B-60E3-D809-00000000D401}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448897Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:40.881{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF9F9B71E3FC3442C6EB17513260AAD,SHA256=AA46451FA7F323AA633E641EAA85D30B8825FADB481C586B1838602063B8FCA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393832Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.935{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-032C-60E3-DB09-00000000D401}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393831Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.935{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393830Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.935{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393829Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.935{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393828Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.935{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393827Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.935{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393826Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.935{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393825Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.935{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393824Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.935{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393823Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.935{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393822Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.935{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-032C-60E3-DB09-00000000D401}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393821Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.935{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-032C-60E3-DB09-00000000D401}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393820Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.935{7F1C7D0B-032C-60E3-DB09-00000000D401}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393819Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.466{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E733AB89AE9F748CFE85BCCAEE5AD69B,SHA256=FBD71548CE55428CBA6FBCBFCC4AD6AFB3844889BF70AD0BCEDF2F33EE3205F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393818Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.466{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01DAE60AF26D7E2F7A35C8A72757BB8,SHA256=57A4995EDE89672A0EEAB9FEA373B99C24BC3CE372D5C5FDA7A4D20E4ED8B6AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393817Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.450{7F1C7D0B-032C-60E3-DA09-00000000D401}4881872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393816Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.263{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-032C-60E3-DA09-00000000D401}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393815Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393814Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393813Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393812Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393811Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393810Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393809Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393808Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393807Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.263{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-032C-60E3-DA09-00000000D401}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393806Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.263{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393805Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.263{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-032C-60E3-DA09-00000000D401}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393804Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.264{7F1C7D0B-032C-60E3-DA09-00000000D401}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393803Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:40.106{7F1C7D0B-032B-60E3-D909-00000000D401}38683360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001448896Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:40.350{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=1283F2290EC7E37B04C003DE9E4B5AE0,SHA256=333247A20D02E50BEB5A818BBBB828EF17D3B1D2B5D32D17A8DC182FBAEF62FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448895Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:40.350{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=E8227CF7F007325DA1842779DDF68821,SHA256=279B017F9D4B76A20E8B5949F8222D892076BB5B958F1B863B3040D2AA3EE9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448894Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:40.348{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=EEB96D0056E1A9ABEAB4BE12CF736DC9,SHA256=7E5C46A8A6BCB44A574B83CE5F4D73029C282786907FF17E02E6BEE1A1B945EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448893Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:40.347{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=26C80D84282992CAB456A7A6A5EE9EF1,SHA256=183EC892FD4C0A296DD995AFB542F0882906D5AA8F4536FDFB386CBA39F6D992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448892Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:40.346{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=EEA1B347B173340815C776465F596B0B,SHA256=D8781583CA2B7C8CCA2C73423DE2E6BF0A92C3C8F18F91A41CA918075C39E42C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448898Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:41.896{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1DDBD7A806F939F6E80C66716D606D8,SHA256=5EFD773AE20AA6A651FED8D17BDF203237BC3B9E3A0C9A03C4843B2761EA39C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393835Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:41.622{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5262E7AA9DDD574BDFACC005DAA887B1,SHA256=EA6B980E986A688270F5C55D7CA4ACF4BA239C102D9A83BB631172AAFAA0E122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393834Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:41.622{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5134833417EE81DCC2C175EE6BCC81,SHA256=D0E475D9AE035BDF7FAB6858DBEA5C4A49B5A8857FC94DAEE214FA668FC685BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393833Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:39.319{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53630-false10.0.1.12-8000- 23542300x80000000000000001448900Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:42.910{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E4FFEB22BA034126A590ACC13318BD,SHA256=2501FBE835E067B504EE5B8B7DD66E7F52D3E03A527F9F87216B6F150EF4FFEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393837Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:42.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0F0C8270523F1C7C93A8940DB61AF6,SHA256=BD9C557BB7696AEE02001222562FE337C183672D9FEF93D8956B992483C0A7DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448899Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:39.600{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000393836Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:42.622{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C51729BD4FD61729E2C33CA991A642FB,SHA256=0C8A424489D2911D0FB3ECC95B4292DA9CF25CDB9F0ACD52B8B60DA196648E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448901Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:43.925{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54269960F3F833263B5267E7739408F2,SHA256=037D67AE0BFA486B3CD13AFADEDE80D2D3CBC0F4790BED654B47311E5C3D59CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393839Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:43.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21AB9FBE675BBE50D2997B643B090F8,SHA256=28A6423B78845F4E9206AC052C09E6562F5B43B634B4A30227BEA69A7A5D0AAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393838Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:41.531{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-52483-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001448905Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:44.943{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B64ACE669399A77055FD1AB7BBD86CB,SHA256=47081132C48F390AC98A5C940AA6C0A491F80BD83DB5E23ECC32414B72EDE559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393840Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:44.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3E81677C4339ACDF371CE3B1DCBF44,SHA256=447CBF8C41516868D6F2382AAA7528B3ABAE19299FF55DC0D9501534F39EBBA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448904Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:44.109{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001448903Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:44.109{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001448902Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:44.109{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF135be11.TMPMD5=7CC92A355EA66A219E3148903E63F654,SHA256=CDE288AC5D74287BFA2D9257B236405535586530C59E6CD093A4AD9FE7326A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448906Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:45.960{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB213D5E2306A9693B336BFA27BD21C,SHA256=6E3910214F315D5139604B7FA975483278FDE663D53243E22DE06BAA4AF21C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393841Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:45.856{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14A5DF374C0DECD56D032512D21096C,SHA256=9A060C521B8CCD85D027A214C154F4A585AE721F3768D7BB2E14DD62C9381A4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393843Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:45.304{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53631-false10.0.1.12-8000- 23542300x8000000000000000393842Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:46.872{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5411E6697402E46C66D44D8B2A9D4EB3,SHA256=62D375F9566F9F1D63B0C089F07AE9E89397A887D0CD809E03CC0B8FF9CB64A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448907Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:46.991{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0D920F1023B8DD7CDAA5209F3523DB,SHA256=C90E8063C2117FA8B2FFBF87023A259ACEFBE5EB04450ECD066ACF62329163C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393844Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:47.888{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063A3DCA9D04B24352AAC0C5693B5D9F,SHA256=74A15326698CAC2C716CA16C6E15F5EA8A3086DE99BCA8E41D07AE5075247E0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448909Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:45.578{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448908Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:48.005{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAF7C71AD6E4CE1CFBE24CAE640159A,SHA256=0480E07C2C0D1B0C5F9AFDE76FB57F71D656413824740E3F175D5DACD11E1C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393845Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:49.028{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91F17A1D349181D157018AED8268804,SHA256=ADB5412ACEB54B4C686226FF681C816E481DAE0E45C4B14A400F862485568938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448910Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:49.019{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1ED3FFB0A3E133C660FFD95CC4DE327,SHA256=F06125155B08673154D8482850B0127E8E3563D5635886E1AEC5AFDA239914A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393846Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:50.028{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206DBD8853C15CD852440EF8F8E4DCD0,SHA256=8AB1A12698C0475D778DD21D8F72B495C155CCBFDC1D234B521F647A4457E923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448911Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:50.036{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FBED6344DC50ECD360FB9283E58A22,SHA256=5CAFD590949E66AC7BDD55A2A817F2F0DD5CE2664BCADA947F33134A13FA483C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448912Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:51.055{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7F5998BE27FA4014F88682E004CB71,SHA256=D1126D96A6CD435D1CFB20A81B2850CD75F23361738BBB3D744B272BA791B864,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393848Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:50.319{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53632-false10.0.1.12-8000- 23542300x8000000000000000393847Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:51.028{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F5BDA1403037F1BA4951925514C88A,SHA256=59125864DCBC16C1261EE73AE26D657251CE44A4703A3A9511260EB57DEFEF57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393849Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:52.028{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901D1B82FBBC88EE43E5AB82492E5BED,SHA256=A8358BBDBC497FFC0BE4E8AD74B8C9748A7223AC8E0682FB269E3F700FACDA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448913Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:52.069{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21DF656281A383188A120CB4B38DF6B3,SHA256=111E3B536D2356045FAF0503ABC60FC314279818A00B0809918FFF9C59562BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393850Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:53.044{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88421DB722AC159216CEDF8839814FCE,SHA256=BB74F1A6C5E34D2D069883F5A23C007C666BE2CAFA6EEA2BFCFAB35530830D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448914Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:53.084{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7E232FC8F53A152728108E19CEF615,SHA256=3DEC14F23A069642E4770DBF19C0A8B9DD6AF297A118D7F561B4FCBAB90B8E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393851Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:54.247{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC47CE022005CC57ACE58960D9C59275,SHA256=B5DDE8E559F28BA759A3CC7FDB114ABD792F197F30CAD8BF0A7B66934250A773,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001448916Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:51.572{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54226-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448915Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:54.098{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90EFFCBB56F45AA3C6808BD354D26D3,SHA256=1C792540BB6FA89D1FA887232588F4FDCE1893AF8D643953D6381832DE0BE662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393852Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:55.466{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0EDE04B62EDDADB565B101159EEE4D,SHA256=E51FBD2474D4F71E82761DDA7176E09CC56B60E4D181C20F7114CD42810E912F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448922Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:55.150{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=B9400AC17C1281692B3F4D1220EC200B,SHA256=385126B73BB602EE0980B0DC64F0F0A5388D38ED862A9FDA9E797B2495E0200E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448921Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:55.150{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=E3365B723D84B782390C1F391048E4F6,SHA256=2AB7E9D796239ACCBB0A0A575512D7E781B5F0EF04AC04A0320B7B2CB9CDB85B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448920Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:55.150{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=237180F6D9D148E6F943FD13A4CA985A,SHA256=12375B6695FD45F248A3203495A01EA3919B2D07919367AE3A618E9CA4D8730E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448919Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:55.150{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=80480B0641663AC1E92A7E8FFCCBD94D,SHA256=C157118B18BA30B65F9D26EACFBB6F9AAECCFA2D704A2A780925394C9660EA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448918Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:55.150{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=E27A081F6478E9F4EBC2CCB4AEA425E6,SHA256=FF4DD6EE44A314DE5314E855EC3EA4E94951E7D39DE77BE2EDEA2C80F9005F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448917Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:55.113{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D62303D2ED680FC6DCBD0E38D3017E,SHA256=9282B613D6A6B040EED050CA2288E6417F0AD3DCF01671268E4E63E34A2EE8EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393853Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:56.466{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F776DE80342EE2806EE61E0070F4A527,SHA256=14A5FEF934A2524AD0B9A84A5AD6D3E2F5A13394CAF61A3DBAD77B8F1C8D0D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448923Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:56.132{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66BC0E0B220774AC5DC39D0431703000,SHA256=AC72DE485001493F3BA9EA8F5C943D7EFFEEF78E7C7BAB144FDF498DCAA62E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393854Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:57.466{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C277292D5FDE6A88D8AADD9CEDA2B65,SHA256=9B9E1C005B11965422DF37B5965C6F1BA37CF57C9743039A63AB652393530DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448924Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:57.149{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CFA060124D86201A0CB6E27BA395D2,SHA256=7283594B498B6FB587BC0489D59817E7BD647DE10114DDBD18DF12674FE20EF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393856Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:58.466{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5113196F79301856C811D23052FDD272,SHA256=156E489E9C7CB0A91987164FEE726491D7B7B4D21199F50D54C440EF38EC2951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448925Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:58.163{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FDBFE601C413EBF1BB35FE50F132EC,SHA256=CB156C232172030ACE72A848130A096851CB17041D8F2F19F8CFA38072D52006,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393855Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:56.272{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53633-false10.0.1.12-8000- 23542300x8000000000000000393857Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:03:59.466{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0116F846901CABD6874B876716DD8823,SHA256=757F083C3B7EF32B72BB964A8CD4CDC69F31B30DD23D40E3C68FB0C1E1762D9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448943Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.829{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-033F-60E3-670A-00000000D301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448942Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.827{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448941Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.827{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448940Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.826{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448939Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.826{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448938Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.826{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-033F-60E3-670A-00000000D301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448937Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.826{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-033F-60E3-670A-00000000D301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448936Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.825{D694AEB8-033F-60E3-670A-00000000D301}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001448935Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:57.566{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001448934Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.178{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998A09680DEA4B0E7E90454CAF4E89A1,SHA256=7892EB90A748D756A9C268ED491FD7E55A6E7669C5F14912DE8CA8A947F75E93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448933Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.146{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-033F-60E3-660A-00000000D301}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448932Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.146{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448931Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.146{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448930Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.146{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448929Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.146{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448928Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.146{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-033F-60E3-660A-00000000D301}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448927Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.146{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-033F-60E3-660A-00000000D301}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448926Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:03:59.147{D694AEB8-033F-60E3-660A-00000000D301}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393858Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:00.466{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785743446CA472D89A353C50C7101C40,SHA256=EA9DFE3D8C6AF6B3B205A958BADD0C99F90285FD5CAC4D01CB14289E8B03ACCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448955Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:00.492{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0340-60E3-680A-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448954Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:00.492{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448953Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:00.492{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448952Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:00.492{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448951Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:00.492{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448950Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:00.492{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0340-60E3-680A-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448949Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:00.492{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0340-60E3-680A-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448948Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:00.493{D694AEB8-0340-60E3-680A-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448947Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:00.192{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B7B9B7E45EB2C3BCCD78123144F5CE,SHA256=8D299C265C0BD8908D10CD31B8682C003CFFB851C3DE1AEEC25C36EC54A8592D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448946Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:00.176{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7C7C01EADFBAE363EE220AAC31C2CA5,SHA256=E0029A9405325543F6EB747E011301AE0DA05906FEC5EF11EB145F12A580399F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448945Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:00.176{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4822B110757E0C3B34F9896D35DD967,SHA256=4EB0976C234775334B31CBD6A34B50B886A0DAEB249DB0CB952093868102F3E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448944Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:00.025{D694AEB8-033F-60E3-670A-00000000D301}49924616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000393859Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:01.466{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD9C3E9AFD1EDA34413C2300C3E281A,SHA256=DC5B24926E5CFFDA925C6DEB1C00C50AC26F2264A66A2AEE23F34DE453D7A74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448957Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:01.506{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7C7C01EADFBAE363EE220AAC31C2CA5,SHA256=E0029A9405325543F6EB747E011301AE0DA05906FEC5EF11EB145F12A580399F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448956Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:01.207{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1E4893BC9A92D8A4CF44CF424F0347,SHA256=9888E07C8726D8A5B0D5DA7CC4F125582E6CF494A766DE8C1BFA9C1223E5552F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393860Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:02.466{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9917A79189A0481766919F282297751D,SHA256=5584AD6C33809D33966DEC7FA86B12C674C45E6B716118F9A56EC0304FF0F487,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448966Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:02.989{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0342-60E3-690A-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448965Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:02.989{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448964Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:02.989{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448963Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:02.989{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448962Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:02.989{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448961Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:02.989{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0342-60E3-690A-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448960Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:02.989{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0342-60E3-690A-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448959Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:02.990{D694AEB8-0342-60E3-690A-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448958Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:02.259{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA38553C978D4A5200AFF8824EC9F0E,SHA256=0EFEB29D3BD0B69F03BF257EB8CC532594886584ACCFC01B6005D32A90312DA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393862Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:01.319{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53634-false10.0.1.12-8000- 23542300x8000000000000000393861Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:03.467{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391931861DAC3824C328B16E5AF8603A,SHA256=6CCF94A533022A6D8D43461440C5531B0B8F0266D4EE7E45FD9989AE68234DA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448977Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.806{D694AEB8-0343-60E3-6A0A-00000000D301}54283268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448976Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.658{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0343-60E3-6A0A-00000000D301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448975Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.658{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448974Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.658{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448973Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.658{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448972Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.658{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448971Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.658{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0343-60E3-6A0A-00000000D301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448970Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.658{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0343-60E3-6A0A-00000000D301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448969Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.659{D694AEB8-0343-60E3-6A0A-00000000D301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448968Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.274{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E359E4DF57E6FDE2925E3E08A71583,SHA256=BA50BD727F61A11D3E99074AC8FC1F6A83D61B17547B864CF49D7E74D5659119,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448967Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.143{D694AEB8-0342-60E3-690A-00000000D301}33366552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000393863Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:04.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84F7C264FE519007C712AF34EBA0805,SHA256=9798BF105B4BE89ACF4AA2A3850E25594AE86D11D091A3A3530529E8B96621C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448995Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.873{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0344-60E3-6C0A-00000000D301}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448994Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.873{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448993Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.873{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448992Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.873{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448991Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.873{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448990Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.873{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0344-60E3-6C0A-00000000D301}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448989Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.873{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0344-60E3-6C0A-00000000D301}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448988Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.874{D694AEB8-0344-60E3-6C0A-00000000D301}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001448987Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.342{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0344-60E3-6B0A-00000000D301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448986Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.342{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448985Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.342{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448984Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.342{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448983Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.342{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001448982Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.342{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0344-60E3-6B0A-00000000D301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001448981Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.342{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0344-60E3-6B0A-00000000D301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001448980Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.343{D694AEB8-0344-60E3-6B0A-00000000D301}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001448979Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.289{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C865C631F96A385E3ABEC1A04680B571,SHA256=05D0102DEC691BA4BD2ED3ADF9ACA444BD6AA3A7DFA3531C6A5191B6E5FA9996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448978Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:04.127{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B35BB802674A769E3D05A95D4524A92,SHA256=3F012E51FCD035B9B8CFFE3F266DFE516B70775E1D08E11ECA61AE7F17231F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393864Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:05.592{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91A7804EA5820A8EC9E8DA3F2F0DE54,SHA256=C4F04D0BCCF37F4CD886588DCB60D877F7B5A89CA8C5940AF93A3D7873033BA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449005Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.077{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54228-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001449004Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.077{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54228-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001449003Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:05.357{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2678D9180A13AAA3B16C5B61EC2E84CC,SHA256=F2667EFDEC92866762E2D612F138EDE507C207B610E5668428AA7022FD40BD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449002Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:05.325{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EEC274CB5AB0FABFC5DFB6105D0B8A2,SHA256=D6C2CD746DD2BDB726CDEBE4C59A486A896AEE669898DFED3BC6BA6BAFE22A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449001Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:05.172{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=6D63D5964C1822D0972C77117110BD04,SHA256=4E3B536918B64E821634C2C31110BC0AB29FA6B0B8C75AA6DE55D0595566B71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449000Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:05.172{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=F55BB9ACC6087B6D02D7C7E47B540460,SHA256=F49A5DEB89A746776FD96A2FC872999EB07F6324B56AC26EE45BECFF706988E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448999Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:05.172{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=D3022BB95187512D4D3608DD1A5B7975,SHA256=F88F8152E05043DAD1638495C93F7AAF2ABA9E7358A205FF649A1CF1E2598212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448998Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:05.172{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=47516867F7A2035C44F757F6374122DA,SHA256=0D036D0B0E4569E72449A4BE096457DB34DEEC73C797B31F0D445E683F9ECD80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001448997Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:05.172{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=992190A237ABD03C73B27DF97068E39D,SHA256=DB3A4FA2A4B7EEC775767A9494A7C03B4EDA9B86B5B80E0A5AF9B6E8C848BA3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001448996Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:05.025{D694AEB8-0344-60E3-6C0A-00000000D301}6748368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000393865Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:06.623{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B50F6E2FFB6F959A8773897B4ED588,SHA256=43934AA13517BB59DAF797B7AEB9DDC313778BE8FA1336B0AB1F7227460C10E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449007Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:03.580{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449006Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:06.340{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48AEA877A64566856DADB4F28BFD1DA,SHA256=E1C9ED4B6F602E3849F38C6229196EB3A7683DD91F785DA9B7C811C656577EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393866Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:07.623{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03AA292539C5BE68A0269BC8C4F3983,SHA256=7AC69199F6E93AA669286EE6F271246EA41031C735F0F73EB8C48EDD478A63D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449008Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:07.370{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F9C99C16D692458553EE5684820D5C,SHA256=BA1E54D5258171495095DA2AD9A77882825A43004B366284CE7154B4E11BECCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393867Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:08.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED505D2AFF13ECC7D0B88C192D14466,SHA256=C536A5B81A56A23E9510323FAEEEDB9D3423E23E03B46D4CD956EC07EF22FEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449009Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:08.385{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A106713A9DBD77DE05C7090388DAD581,SHA256=D83BA34CFCFAFD38DBE397183801C265FA6C948244CF0D4FD34DC1C500EFB77E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393869Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:07.274{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53635-false10.0.1.12-8000- 23542300x8000000000000000393868Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:09.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EF14324BCA9D2165E38CDC07972B05,SHA256=3C7BF9117C2DEEFD19D2EE12A65093DB31A660FF5B697653D9455CF32C83853F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449010Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:09.386{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7266C290224F89D2637596063040628C,SHA256=D4B03E0B952FB3FD834F89941F1653386D1C466F97DC68FF9900BEEEAA5F6ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393870Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:10.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD66CF0F7D9BC0E65A63C966163769D3,SHA256=6D9377215105F65E876581BFBD2A715EB7EA0386C856ECB0CB088335BAC0BC04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449012Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:08.594{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449011Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:10.418{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0447957CADC72A344403C34517DD9F3D,SHA256=430E5E845CC3F0815A7A13D64A0AC545D9296B8F6FFBF8DB0E802956118458AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393871Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:11.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EB18FAC4B69235954630F97E0BF0EC,SHA256=32B67E9F50141D4A0045C0AFA7C0D3C2D9C5E2B2451BD49A7AA5EF26C2B50612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449013Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:11.437{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475CB1F9FE327CEB82FC01546D5C4F6A,SHA256=A817D62E70D9FC44F71F5E85EE94B78786196828EC75C7AB6F57C09DEB7E03D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393872Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:12.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408836BB11ABCD97508482BE87A9675D,SHA256=CD080D91F2D1FB254462293037632572A1789EC6AEF7A7FA3D214ECB97DBEED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449014Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:12.468{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7925461A25503929159F4D8BC21116,SHA256=7B14CE079D3EC32B3C197631E9F2D346C4253D864B9BB78E5AF34FF57FABE326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393873Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:13.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EAF5A3D5798916B11628E64A3E89066,SHA256=DB16DBC570D6AC8B7B97329F4743AD76F770686EB55B353297E26698267BCB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449015Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:13.468{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BF15BA9C4411AD288AA3C3DF9A6379,SHA256=A0715002DE755EF54BCBEEE6E31559C6F85D2E0101C16C6C56F6BB712841D5F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393874Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:14.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A538229194F9B4AB13F26BE392095A,SHA256=834DE77ABF79F82D912FBF78D333A60B31495D002A65BDF966D8518A62903461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449016Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:14.483{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BA04DC49AECC88BEECD1C98EB0B6C6,SHA256=3A890FAC85E339213E43873F9F2B0B3CCF11A23F8D75819DC5E76E219C328D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393876Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:15.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7106F7B45B51387EA46DDCAEDB0CF094,SHA256=1C45C4DD0AFF0C5806CABE11857C0F58C22C13AFF383F6B6E77C5A698C368CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449017Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:15.497{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272C336779CC01909CC09B77AA45EAA7,SHA256=52411838AD7827A9AF5E29A6485B2C7403394248C5ED7D4D8C6937E8DB199722,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393875Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:13.258{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53636-false10.0.1.12-8000- 23542300x8000000000000000393877Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:16.889{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B46928CA01AB2B073690C7C6C5B6806,SHA256=A57A7D7F1DAD59DCB00250306F64173B763755541491F8CD10177FDE8E20D50B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449019Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:14.569{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54231-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449018Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:16.514{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831C49FBD07CF596F2CFB178D1531795,SHA256=967C4676DF33586B57645FFE8653897401DA95A0403C2114F75E6CE12EF0F435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449020Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:17.532{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A0C1EC1C741FC4A6C084580D10993D,SHA256=024F33EE17931DBDD7230CCE0E15BA36636192FCA9E4DD63FC33117915A9D2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449021Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:18.547{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FDF0BDB3E15DBC3B7CDF3A3588F834,SHA256=33D16C7AC88193D13A53D541B160374534061BD238D0D9F747122ADBD4F170F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393878Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:18.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F143530E9D4A292B2C17DA97B4DB02B7,SHA256=AC4EDD8E633148C992ECD44A5FC7C395EFCC7541F070A830E78C68F84A178D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449022Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:19.593{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E4989F6695F3DE5D81CCA3F60639D1,SHA256=81A7A0BF8D89BCA1AC6112EF3804EFA09D8D9FCB57C7AF69EE4E7AF63EA337C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393879Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:19.217{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A75C0538865E325B50F3F1EF34D773,SHA256=7308119320D40C3AB7205AF653F38FCBA86A6A1B9D83F82157D9A6535F362D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449024Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:20.610{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B393949077AD7D9617BCEC832299551,SHA256=5A436ADEBB597291EB4B9C530596158EDB197397CE12C0C876E5AFD6ADE44137,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393881Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:19.211{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53637-false10.0.1.12-8000- 23542300x8000000000000000393880Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:20.217{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A297610DCA9033BCF95BFC8BD86B6A57,SHA256=1539DFC40B0482505EB622A973A23D09B83D17E10864A1B25D7D851716CB82A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449023Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:20.492{D694AEB8-B3EA-60E2-0D00-00000000D301}9166928C:\Windows\system32\svchost.exe{D694AEB8-D133-60E2-0F04-00000000D301}3340C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449025Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:21.628{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8837574AF6307FD2641CABCB8912EC,SHA256=0CE63113E090F93170FE62788EF4D5C4D7F9022EFEE7DA9EE442B66B53C982F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393882Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:21.217{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30A66D30E8171FE5E79C8D46C6B3B74,SHA256=0C94ACBAB3E414E7977E9388980745B7E2D90E4C7922C530A7498780ED3F0CD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449027Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:20.600{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449026Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:22.643{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4CAB6D234015792775B86612EAF1EC,SHA256=47C942F819CBE2BFC5057E0B77B04173968B3E7534EAB1A4BE03B6982EA2D773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393883Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:22.217{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D755F8D720E68FE931DAF3031A04D0DA,SHA256=32846329321E96D9853F59209390EC0C0158DD2D1BCC620A47727426951AF578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449028Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:23.658{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CD5517B33E302B27AA55EA89A5CC20,SHA256=86C761DB50067AA13D4E6FEA0E5130213F0C83BBE8A489848C3385D2DB5D6A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393884Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:23.217{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C332E88280B1D97E32AE750D46D3210C,SHA256=59A3782C59B10BD39C582080697115EDC23E9736CBD1C5E6B5AE5B2B275AFC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449029Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:24.672{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=105F94E9FE26B595006E6DF511A2A788,SHA256=F18D3E69D587428F45D0B0F6799C8709E1EB876D5064292301EB133A0C7D0F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393885Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:24.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B85661A8097378E1CC90FA2E630A5FF,SHA256=549A52B1FD57C4CBA9750762895E3B6060C1846927390738AEC00663D1AA8E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449030Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:25.740{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1DEC34580D8E871D9595550BFA7DE5,SHA256=CF39F97DF78BAFCCAFC7487C1AB15AAAAE910F842D1DA4B453CB63E6584BD164,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393887Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:24.430{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53638-false10.0.1.12-8000- 23542300x8000000000000000393886Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:25.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772F8305958AEEB243702BCDCAA43A51,SHA256=CC721FE3C3DDA23F9EED1FD089832E88831A674CF4AC44EA988325A137B29AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449036Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:26.741{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B8CCF2EADFC928B3614685804A1B3A,SHA256=2929DAB605F1469DDD690F0CD3195F5CDFA0A2AED819D8EC2F78C92601A6F1C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393889Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:26.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80124B6C006DDC7C86F52B4E53B0D81,SHA256=EA2A043FEEAEEF152162FA9877BE050745E3343622E65C2619EA073ACBE3F509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449035Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:26.039{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=7D31770BB6EC5EBE15A8B343CC831046,SHA256=2F8BF939C066D97ADE8E904BC0163DE8E4C317959CE800F85A781A148D09EA4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449034Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:26.039{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=076C557E9701A7E5FC56ABB93171603E,SHA256=09D19AE62CFF8B7AE59D0F18E33AC609B60E5C055633091B41201282EAB99A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449033Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:26.039{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=A16635305425718CB3DE36122265757D,SHA256=51527FA75CB22E85298F490BDEFAF1271D7BA45751AD103BCE410A8F6BDD3F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449032Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:26.039{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=DCA3D066592BCEBD75C7DB2838229390,SHA256=9F565EBA50B61EED89EE3FB28D539EEA539A564DBE55EB98DF454ECB64961CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449031Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:26.039{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=155BF97C7EC3FEF20ADAA092B3194EA4,SHA256=C98DF148AAA49D4222CDBED27243BE7C8DFCDC5FC5CAD676AB02983EAB959DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393888Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:26.217{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DF99103E6FA266830523A7B5C95FAB6A,SHA256=D1EFBD754992645514D0004BF900010303E40C54B51500DE7D4A7B7F69D7B0EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449037Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:27.771{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A876BF92CA2F7C86B00D358D49D0DECD,SHA256=7726C9B93446B8DAC0B7C2BBC64124AD4B19940DEBF803528C5E925D6374D8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393890Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:27.264{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C28B1795748D8448D96B51B3421E06,SHA256=512E679BB5FFEB65A6786B83B80FAF4F8F1DC86D31B7C0A9143849B4E659D408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449038Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:28.785{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36AD3BA56029871FA0C4EAAADA883D5,SHA256=AE9EC0AF7567FB8F6E58C380791E75F34B13850F83535C7FF7BAF421F8EC92B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393891Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:28.264{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88654E9A528DB86A3C7F946FEF52C17F,SHA256=AAEB32B8E67BC804C3DA61196B1DBDD82BA92657225BBC034CF46E9C3C3E2380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449041Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:29.922{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449040Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:29.803{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A129C9E6898740EF7834A6F4C62179D,SHA256=84D81E84FC79AEA66DA71ED96B21C48D5266DF2680CD35317E850CBDF639C8CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393892Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:29.264{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2DC3D8CE107B54815E2AD0AD782502,SHA256=5069A59818F0BF03283A58C596C16DFD5779DCB4782DAB0E87A96370A42970F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449039Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:26.612{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449042Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:30.821{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC262AA70425D933B505CC674CF72E57,SHA256=0D2255E8CA644ACAA1B291F9DA97F55289CF5B001010CFDA88AF47AC5DF5AE3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393894Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:30.686{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393893Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:30.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C6EB3B48416500E98F07C5C69FDA6CE,SHA256=2628C9A0B1A53E7A4A45FAF8800662FCB6B1F6ECC165A02913EDE049AE22D621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449044Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:31.836{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F350992C0772622A67D4C9941C84017,SHA256=FA52F0CAFFDD247265C44103B36916104D53F259493798EBA52328EDAEC06027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393895Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:31.295{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FC425FF1C6204AC9171CABA9CC5648,SHA256=69AC8573FF55F92F961398A362124FF7B3C3125C23356AB0CFC134F44349F6DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449043Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:29.356{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001449045Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:32.866{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1375FA7707B33FE9B3B5B7521CB26C93,SHA256=274E8D007282A642B607095F47879F2417133867C1F7588332FACCA66A345230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393898Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:32.295{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D7074909A0089D61BA7E64A83D9879,SHA256=53714D248EF7BA893153A1A17B0C9D4618897B73C0A8EC4F496678EEC2AF4E2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393897Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:30.852{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53640-false10.0.1.12-8089- 354300x8000000000000000393896Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:30.415{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53639-false10.0.1.12-8000- 23542300x80000000000000001449047Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:33.899{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE136CCDED1AAA577569DC002355BBA0,SHA256=3DB93BF39AED6D0C3C9ED6D8461B89130B2493ACB7B12F199A94C4AA44AD9F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393899Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:33.295{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88FE7433E94A6D2BEF5282868CC5E87,SHA256=78A34652093F68409324C4634A802282EA163B58D33ADDF81F28908340AED53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449046Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:33.749{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8378BEF29C99CD8DBB372F3869E487D8,SHA256=E9BF3E4ACCA67666E7D5BEC2D18D5EA1CFC990AF1C1B2CF30627BF40CA564E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449048Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:34.917{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027132862432694DB4D450EE3D886291,SHA256=E044E851BBC4C5765A673EEEFB5734C9ACC1FE84FE87FCF842A0003A951BC7C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393913Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.639{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0362-60E3-DC09-00000000D401}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393912Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393911Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393910Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393909Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393908Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393907Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393906Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393905Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393904Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393903Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.639{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0362-60E3-DC09-00000000D401}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393902Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.639{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0362-60E3-DC09-00000000D401}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393901Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.640{7F1C7D0B-0362-60E3-DC09-00000000D401}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393900Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:34.295{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD00A25963CD4ABC9BB797790DD4733,SHA256=7AFEF06B6465E5C1FB258E224CBA27BD72FD19A26864E286BBFBEE29DD1C2E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393943Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9F9191731CB0AE8ADC1AC04A3DE786A,SHA256=00E9A587F3F5B5CAD8D654E6E06B4DA7B73AFF4DE8097570CC3C092338089AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393942Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24631655C755DAC89ED66CA8459E9EBD,SHA256=F7720539B401679CE9C8DADAE56426EB8666064B2CCDD7A1AF8B6ECE5EEC35AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393941Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.842{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0363-60E3-DE09-00000000D401}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393940Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.842{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393939Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.842{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393938Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.842{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393937Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.842{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393936Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.842{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393935Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.842{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393934Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.842{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393933Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.842{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393932Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.842{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393931Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.842{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0363-60E3-DE09-00000000D401}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393930Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.842{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0363-60E3-DE09-00000000D401}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393929Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.845{7F1C7D0B-0363-60E3-DE09-00000000D401}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393928Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C05F4E3A8E34C8A81F814369D4A2C7,SHA256=581BD4E709431B201A5370E4468D2D82F569083E0B7E5E0ECFD8A1612FCA5E41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393927Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.498{7F1C7D0B-0363-60E3-DD09-00000000D401}16201648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449050Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:35.931{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB123A98DE6DDFAB26FDDB2D1E7AAE3,SHA256=414946F03A4361A389EF209B4310E656B8A831596B8F0142AC000F29DAF86654,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449049Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:32.637{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000393926Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.311{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0363-60E3-DD09-00000000D401}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393925Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393924Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393923Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393922Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393921Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393920Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393919Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393918Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393917Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393916Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.311{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0363-60E3-DD09-00000000D401}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393915Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.311{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0363-60E3-DD09-00000000D401}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393914Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:35.312{7F1C7D0B-0363-60E3-DD09-00000000D401}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449056Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:36.946{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA28F7975F2ECA868CDBD75FDD594E00,SHA256=946D2D23FE55D12B0849B5CDD722A46BF360C243DE15BFEE625674AB75D37406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393944Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:36.561{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B9CA1F76449B7FEB56CC1E74D3FBEE,SHA256=1E99FB0892F48F677291E5BB21D69992CD92D58E49FA70EB968904530A9442AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449055Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:36.062{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=FBC3E865F41B50D9E1A42425185962D2,SHA256=EC0FE08EF8C6694BFD5BCDF23565FEEFD56B35D30F3EF45A2FD09057548EF1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449054Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:36.062{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=FBF47085947E2872BAB0EBE8BDBAB2CE,SHA256=E3400620C7F3E0B2FEED943EB2A02EEE0C27017FEE03422400231AFADCC78393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449053Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:36.062{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=EF9F1752099EF43EBC87523496A2F202,SHA256=1117951010FDF1525253997D9C7D800B64C8A4F6E4807C5397B0E03F11276937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449052Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:36.062{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=B6847A9636F9C54702731540AED0B465,SHA256=E7414E1DA0977E85D067F1A41BF686C9C5C6D845BF60171D16191324DFE35D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449051Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:36.062{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=B491EA7BEF4399E49F4804BF617B72C1,SHA256=C6C7B817237E5D8D9D9727B942CB2D5B80C86E9366C7D56986B9FB81D5BC5A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449057Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:37.961{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E56C2D4E54F883DEA207D9247B87510,SHA256=19A9DA5ED959AE640EA8537394FF0A944624AEC699388E22486640F77E86ECC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393945Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:37.561{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9F73135A0CE6DC44B538C3E49B7238,SHA256=149FE059138CA8685EE77D07FDBDF9F2675DA1BC234A39F5263B6C03A0FAA15F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449058Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:38.962{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33AF2E646A28DFB691D51B53B5EEFBF5,SHA256=B0A197596D00B644DC65C31587F089B60725BF85C7161E85E6C38A907A1B9462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000393947Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:38.561{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016E99425B133EB571363F5D76425C8C,SHA256=30E8B6C7F63BAF5384B339CDEB02C4090E7FFCD3F275C335C21E0D116F7CAF25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000393946Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:36.415{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53641-false10.0.1.12-8000- 23542300x80000000000000001449059Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:39.994{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BF6364B7664219489C9C36614F1A28,SHA256=D7315CBC50F02D71B5BEFCA7595844C1DABDE4E26C223558E530C432DD98C02A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393976Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.983{7F1C7D0B-0367-60E3-E009-00000000D401}38922696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393975Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.780{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0367-60E3-E009-00000000D401}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393974Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.780{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393973Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.780{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393972Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.780{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393971Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.780{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393970Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.780{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393969Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.780{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393968Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.780{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393967Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.780{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393966Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.780{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393965Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.780{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0367-60E3-E009-00000000D401}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393964Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.780{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0367-60E3-E009-00000000D401}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393963Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.780{7F1C7D0B-0367-60E3-E009-00000000D401}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393962Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.561{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D747720948EC78CE9E13BEEF8A90E835,SHA256=3DCB6DDAF483AF169A574A13EDA41B8757D7E37D3025BDDF9AD9D4A8520318E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000393961Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.483{7F1C7D0B-0367-60E3-DF09-00000000D401}38083988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393960Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.280{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0367-60E3-DF09-00000000D401}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393959Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393958Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393957Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393956Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393955Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393954Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393953Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393952Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393951Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.280{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393950Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.280{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0367-60E3-DF09-00000000D401}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393949Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.280{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0367-60E3-DF09-00000000D401}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393948Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:39.281{7F1C7D0B-0367-60E3-DF09-00000000D401}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000393992Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.639{7F1C7D0B-0368-60E3-E109-00000000D401}34963148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000393991Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.576{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E5A64A1DBDB0CB729DEE99126080C8,SHA256=FD67BCC263A42EA6DB12AB57D0847701A858A8B9A1DA5C96D82532538FEDF06B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449060Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:38.633{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000393990Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.451{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0368-60E3-E109-00000000D401}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393989Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.451{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393988Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.451{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393987Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.451{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393986Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.451{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393985Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.451{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393984Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.451{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393983Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.451{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393982Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.451{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393981Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.451{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393980Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.451{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0368-60E3-E109-00000000D401}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393979Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.451{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0368-60E3-E109-00000000D401}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393978Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.452{7F1C7D0B-0368-60E3-E109-00000000D401}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000393977Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:40.358{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9F9191731CB0AE8ADC1AC04A3DE786A,SHA256=00E9A587F3F5B5CAD8D654E6E06B4DA7B73AFF4DE8097570CC3C092338089AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394007Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0883A5D8F120364C406BBB8537CF936,SHA256=C7B141DA18C4476180A992FD9D5AB42F2070FAE4A4E1A745F3C6C9250C6C9BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394006Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.576{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFAFDB9FBEDE9579C8F5D159E89F177,SHA256=FE758EF1E36750BEDC3DC66E7153C3F2118DCE2482131C2DC283DACE6B52D88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449061Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:41.013{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A076F7747A2331DD8436BB414DC5CE5,SHA256=176758859976E57461419F0E8FB20DE5EA226AB40150EF1AE7553EB286BE70BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394005Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.123{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0369-60E3-E209-00000000D401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394004Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394003Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394002Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394001Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394000Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393999Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393998Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393997Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393996Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393995Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.123{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0369-60E3-E209-00000000D401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000393994Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.123{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0369-60E3-E209-00000000D401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000393993Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:41.124{7F1C7D0B-0369-60E3-E209-00000000D401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394008Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:42.576{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75095E76D9318C88C9DA60F3342BBF22,SHA256=B95846E7F93C18F9A98E40F2944ED9CBD3CA944BC4D208D8F3592C6DD6A586A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449062Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:42.043{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1785CF904E7562BE3ED7909381E4EF44,SHA256=C6C932E8AF8F3DF83ACF43D53B5A9F938CC8C9850202C52AD69F0C93F82859BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394010Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:42.227{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53642-false10.0.1.12-8000- 23542300x8000000000000000394009Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:43.686{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BB438CB108BE5EF3D45AA97916EBA7,SHA256=D9C932F9CA8375A6DB4E606010C136B03115A506B603BE24464F61F0E73FC928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449063Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:43.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E084A52D808EEA469CB193953A319AB,SHA256=E75D8A4B284B3A57CE82137AA0E040835D6F5A9E7FCEAAE1FA44DEB48A5D097D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394011Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:44.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9152932B643CA7FACE24BC2D3AE6B95,SHA256=48B44DC766A14F70572A4296F38ECD02B6C33FC2B0A2A3D06B1688CBF1DF1B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449064Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:44.071{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B54284F00D6891711267A0ECEE258A5,SHA256=C3B8B2C003FE9FB08AB140E216A9092114A88C8A61CE46CD056200CB9F4F04BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394012Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:45.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000D75E69A1473D1944FCEE53DACE34C,SHA256=DE42B967283517DCE63CA9F2BF51F8A32272778E0E79C4348AE7094C3DC16CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449065Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:45.088{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5954F5F1013EE77E85979C7F1973645,SHA256=E9957D4008F1001305437AAC076D82CFA93C4249E913D056C546BECF869295D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394015Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:45.581{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-55881-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000394014Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:46.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BB6D8826AD813F1F6CB03F32CD5597,SHA256=2C32810CE92741022F3F7F5A6E78D77A95A9E4F8E67CB8FA621A4F207A9DE28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449066Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:46.122{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0BCC95479F562992572813CC5DC385,SHA256=8A9AD4376E7C3532B660DEEE1A3C22085E8674D36D1631AF4317287E4C6F7641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394013Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:46.655{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=291EC5176BF1C80D064FDB7343995289,SHA256=51BF83796CB055F07DE7964B28C5C975AF0E90725E1E056114DCF67BB7B143B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394016Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:47.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D485E8E61845D1B6FDE7D6141758321,SHA256=B327385FE58EFF0C58C9D3E59DA02428FC484752ACB09F9198A0A2794D39DDE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449068Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:44.626{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449067Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:47.137{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B848AC8ABF2461CD434E67ED0FE72F,SHA256=D0F95F109026BAB673F1D4CFF2A0E4BC06196815F47781B3CBA7303DA27FE64D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394017Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:48.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0675900768B8E0FF2C200965C483A011,SHA256=1E931EFBDA4018BFEAA9752E6FC6362BB3F26AD9CA658234D4E836B88C04CC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449069Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:48.151{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED94E29D8A1E55F0D01C60C1166E3B8E,SHA256=1B46D26E85BBDA63984F6FEEBBD500733B391A746ED42C158A369D3CA0C78162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394019Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:49.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5765FA696D98CD06E0FCAB59CDC4FAC2,SHA256=ED86D814CE5C5DB3E61657FC1F6BAAB80F9A2A7D20C9CEC721D96BAA901ECF84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449070Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:49.165{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A2F7B6B256FDE5D1023504A6B40B21,SHA256=31A3C8EE76E32103E7E9C7D6F1D39D23BC5ABA37E7C0D9978486F70CCA89734F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394018Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:47.368{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53643-false10.0.1.12-8000- 23542300x8000000000000000394020Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:50.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBAA9FC6AB8904EA5DD6254EFD33B78,SHA256=D79BFB3773AC67E59EBD319A30AB6B70DAE30D163B7B777D796530AFA33A02E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449071Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:50.186{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DE2BE93BF8167019D2533ADE66C305,SHA256=B35FA14F0C019F0E39ED9AFC6633F1110FDACE38A8719802C8539DCA984A4B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394021Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:51.780{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B43BA5128B55D2B061CDAB7D2510FE,SHA256=5E62A3579EE670961FDCE6560E26B9D75F97F2A28FC50AE8383EECBC6A23EA81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449072Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:51.201{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65EDA1821EC01C7BD5CFE3EE5618320C,SHA256=3AA043F879FC14329B8456631306700EB38D41A3701039CF21C47F26649B13A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394022Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:52.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCD43B40AFC5DAFF4ADC702A0EC5325,SHA256=7A0E7479EFF70116CC24532FDFF889276FFE48B43743CC4619DD2DA99F5B8395,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449074Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:50.635{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449073Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:52.230{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC338C23A52FD2B3C888FCA6CB7944A,SHA256=2E550D24522E208DDBE48E4EB1D8D47CE63100CA4C86F578AEEEB9D7963D3639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394023Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:53.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDCD53B38EF6E06A5C1C05F400957DB,SHA256=22B13DDF8AE0283E21E96A8E94AA8514E4B5FAC225F21B8D05D662FD4E58BD32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449075Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:53.280{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B6426D6F0BB24E2E9419D845785401,SHA256=7983A2C7D8B7504BD15031B553995722684756456940D46C320165CA61B7C8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:54.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B6F207BE9C3CA37E665CE12B3D5268,SHA256=022EED5A72408F9B3FA3001BA91D12F37DF029D03C773FDD02EC58DB1A5685EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449076Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:54.297{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DE33030DE5E556B4CFE6E67E38D268,SHA256=4D86562AF16EF51141FDB77E71141E2F509644368D59013C45BC55B65291C2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:55.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324B5B56D86D7668F388BD5FD22492B7,SHA256=3DD265B71A3583BE82B1ACDD4CDAD6578E62B68D17BB5E3C2B9B111B63E618CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449077Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:55.328{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2963CFD8F3B321F4D8D582893CFDD00A,SHA256=431F013423677333B0F18D7FD8DD9061BBF1094D815BEDF0C7F933A6B70C78DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:53.384{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53644-false10.0.1.12-8000- 23542300x80000000000000001449078Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:56.342{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95F6409A40E796FB7DADD385BEF403C,SHA256=6E2644DA87815573A7D693B892D18401333F8AF601E070034D03F16D6451F09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449079Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:57.357{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5342FFC0A66E98A24175BCE51E3195,SHA256=6215EE79F1844A71D9DF8F68D33579F575886C21AF8A91D038EB0DBD507917FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:56.998{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2737FF7FB6FE866247518F2D65B83AA,SHA256=01B58DEB06F25BC6CD91258D201BCF56A0640FC00D598868A7B7260556A0A54B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449081Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:56.613{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54239-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449080Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:58.374{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FCCB56D91B4B70BD230A125055D498,SHA256=D76687C39084E214B1E1CAE12694E6BD20CF10E8AF9049FAE89C49B17B766C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:57.998{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F73BF14D14D1FE54A0F3C3A9DCC41C,SHA256=1E31B2810EE9BD7EDEABB6FC973F8E9579CC29A633C838CF73BFCA7131AA26FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449098Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.854{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-037B-60E3-6E0A-00000000D301}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449097Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.854{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449096Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.854{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449095Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.854{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449094Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.854{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449093Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.854{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-037B-60E3-6E0A-00000000D301}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449092Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.854{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-037B-60E3-6E0A-00000000D301}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449091Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.855{D694AEB8-037B-60E3-6E0A-00000000D301}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449090Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.392{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C52695BEE93753B8089251BDA44647,SHA256=2CD585ED02D222225AA3BF05C1D03F5BD3515AE4A54D64EF6C00A1753F422575,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:58.399{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53645-false10.0.1.12-8000- 23542300x8000000000000000394029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:04:58.998{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C62501FE8FCC9AC332F6A4AF25BB79,SHA256=79C61670B6D80A4D04D3AF027AD885E30FCD2D199604D987AB6A1BCFE1A1D6E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449089Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.176{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-037B-60E3-6D0A-00000000D301}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449088Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.174{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449087Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.174{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449086Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.174{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449085Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.174{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449084Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.174{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-037B-60E3-6D0A-00000000D301}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449083Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.173{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-037B-60E3-6D0A-00000000D301}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449082Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:04:59.172{D694AEB8-037B-60E3-6D0A-00000000D301}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001449110Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:00.475{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-037C-60E3-6F0A-00000000D301}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449109Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:00.473{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449108Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:00.473{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449107Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:00.473{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449106Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:00.473{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-037C-60E3-6F0A-00000000D301}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449105Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:00.473{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449104Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:00.472{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-037C-60E3-6F0A-00000000D301}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449103Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:00.471{D694AEB8-037C-60E3-6F0A-00000000D301}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449102Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:00.423{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63E0B31974E892081F965B96CC86C68,SHA256=6FAF3B8C27C7D74A08032E5B76943B08EF0D4AEDA0677C6304F0A8BCCFED4138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:00.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6696728CF59A3D08EADEAB6D6BC0D97,SHA256=42165C82AB41F2AC8B51CD700196A9A09BE7B62AE9AD0B8457650F23F0113E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449101Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:00.191{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1546975E85732DC19CF53FE37CEA296E,SHA256=E964E90BF63C4E644CB8AB50D0C5311F7AF734FFBF3BDCB8B26F1116C1E8E1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449100Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:00.191{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CACC6604E512F50C92EF71E4ACB5E49,SHA256=3E71FBC2E6B47F442DE5D142A026E126318B2A59E6F4659F89CC9A35260666FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449099Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:00.039{D694AEB8-037B-60E3-6E0A-00000000D301}39126500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449112Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:01.522{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1546975E85732DC19CF53FE37CEA296E,SHA256=E964E90BF63C4E644CB8AB50D0C5311F7AF734FFBF3BDCB8B26F1116C1E8E1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449111Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:01.454{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE58F2291580E964E26B1ED4B0FDC39B,SHA256=425487B3176FFBC46590C221F674329EB2E49C5EBFCFF8699C06C484C0117A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:01.045{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE196BDE32BD6F745D6BDDF4A567D413,SHA256=22F14B8CE0AF8CD9C879E243D49885000B3C6A8256299D4E0F165B485219B317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449121Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:02.989{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-037E-60E3-700A-00000000D301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449120Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:02.989{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449119Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:02.989{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449118Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:02.989{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449117Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:02.989{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449116Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:02.989{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-037E-60E3-700A-00000000D301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449115Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:02.989{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-037E-60E3-700A-00000000D301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449114Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:02.990{D694AEB8-037E-60E3-700A-00000000D301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449113Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:02.471{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F54DBF450E199249A4500CCBEFDEF7C,SHA256=AFD87136BEB761F9D0FA73F1037A03EE0C620412CC60B4B917C0BC71FBB7C1DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:02.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=426C11D6EF9DA981022D833488A76AE4,SHA256=D85FBC38782958DEDA87B90D8026FA969A0407D0B0F56383A2F328DACDAD02A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449132Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:03.820{D694AEB8-037F-60E3-710A-00000000D301}66485392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449131Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:03.672{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-037F-60E3-710A-00000000D301}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449130Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:03.670{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449129Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:03.670{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449128Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:03.670{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449127Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:03.670{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449126Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:03.670{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-037F-60E3-710A-00000000D301}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449125Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:03.669{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-037F-60E3-710A-00000000D301}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449124Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:03.668{D694AEB8-037F-60E3-710A-00000000D301}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449123Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:03.489{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095DE75CBFCB5365B4681A6F46FA7EED,SHA256=B7B754FE3E401A1122D19274813F9D48F616C68C44F4B0C007194A52133C1848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:03.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0CE011F4F0CD9AFA6A41ABA482E258,SHA256=5BFDB0C66C9F7C909BDDF841ECEA2272A5FDD4F03F29A8B29BF2ADAB91930514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449122Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:03.152{D694AEB8-037E-60E3-700A-00000000D301}33604296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001449145Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:03.092{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54241-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001449144Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:03.092{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54241-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001449143Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:02.627{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449142Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:04.504{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8797BB3B2D749A6338D6F034091FD4,SHA256=D10C7F01CEBCCC3283F167C9BEBBDBD488D0D4E856CB1F014593FDB27584EDE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:04.188{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1707A10270F471F60000309D8E17889,SHA256=E79A59CD94F56341A01E7EBC1342C98DBC29C94C9D2FB071F666C0A7C58D69B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449141Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:04.335{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0380-60E3-720A-00000000D301}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449140Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:04.335{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449139Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:04.335{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449138Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:04.335{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0380-60E3-720A-00000000D301}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449137Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:04.335{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449136Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:04.335{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449135Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:04.335{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0380-60E3-720A-00000000D301}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449134Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:04.336{D694AEB8-0380-60E3-720A-00000000D301}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449133Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:04.004{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA6837AFA8355D9933E65A731367F5CB,SHA256=6A5726D4AE2D9B3C2745E358662CDA47F4D4488ED29E357DBE448EED430DD151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449156Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:05.507{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEED0F85CD2040E8AA82D25ABFC11ADD,SHA256=B30FB67498CFED5AC3EE5B8FC9D1D0ED0BC4DFA424068254028A286765EEE206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:05.201{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BDCCDB7EFA07A9989A83588B347058,SHA256=C299FC744F81492CA27D334CC1E0E4AA6FFCD307393E255CA227AB1203623D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449155Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:05.338{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CE730E054DDAA86EBB53A86C915F53F,SHA256=D897EE39560D346CA738CFE3147E689AEB9805E0F30D2DCF9B2BF32F2106A9A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449154Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:05.187{D694AEB8-0381-60E3-730A-00000000D301}61004888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449153Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:05.008{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0381-60E3-730A-00000000D301}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449152Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:05.008{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449151Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:05.008{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449150Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:05.008{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449149Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:05.008{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449148Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:05.008{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0381-60E3-730A-00000000D301}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449147Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:05.008{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0381-60E3-730A-00000000D301}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449146Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:05.008{D694AEB8-0381-60E3-730A-00000000D301}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449157Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:06.537{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D1577DEEB4EDF6D46060817EDED5BB,SHA256=75F5A43E5EF69E3CD2512A834D21D2EC409F068D1524F016E571DE9C740421EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:06.437{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A262956FAECE85AD5E607E317149B7,SHA256=C962CB19085008AB51EFEAC3E6AB10DAA45CFC82AE4AF6DD0B0791C4D3F4B9BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:04.371{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53646-false10.0.1.12-8000- 23542300x80000000000000001449158Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:07.567{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4393AE93319E26C5133840BF634445,SHA256=5D80FED7BDEF3C4292A1F02719EFC333644D62745830D1E3D84CDCAB99183250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:07.484{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A22ADA17E0084DADA354150DFBF5E480,SHA256=D2C57F1BD201922FD41BC913028A67049ED98ADF8B9E2A3B4EA2B9FFC58E8CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449159Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:08.568{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8C2C3F16EB75C9CB396E400D886358,SHA256=1832740307D1F6EF9E8C9B813FE4C677295E1392F12FBEF31801D5882F3F6C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:08.499{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE095E5B9B734B8C634588842F24D931,SHA256=F1C82B4E1A3AA1A837B90D96A68FAA3C180B7B73A9250CDE1347798FD73E68A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:09.515{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970A1305603CCBEDB3BCBD3AB8E05FFF,SHA256=1A998074DC6545C2134CFF1BEFAA0A51ECDE4EF50080B06A1DC3D81BCD862A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449160Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:09.568{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106174E860456753B21E34B058471E03,SHA256=6A4C6D7D1E2FA770C0E94E463CA79D233B296442BCA2ADB53F402521460BD351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449161Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:10.585{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2827761A114CCCDABF07539806DB71B,SHA256=45C864D071292464419C0489C88A78B19284988ED4CE4B08A09B42F761421302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:10.530{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF33AA04FFFF14DC0EC6E1CEDDCD552,SHA256=C9A0EB00575D1D04422AF4D0B05F32F7DD46CC8ED0EBB0FA66C62C6A7F1161EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449163Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:11.621{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01FE489A1DE3B13FD2E5260FF1264FCD,SHA256=DE7A06AAFA5FDDBA9E3F7A490E111152A7ABFDAB6C5A7871E81C30FE75454D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:11.593{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D527AD2101FFC38AE66B8CEC229CE881,SHA256=A37900F9C9EE91EA0DFAFBD3235283F48870572D46960BEECFC77789ABD73A5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449162Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:08.593{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449164Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:12.651{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B71517A224E23C0F871DD53E63849E,SHA256=A3DE2EB76D7BCE600599D2EF5F907CB13B671E37FDBCF2B9614D028E8D78E251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:12.609{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484E7BFC3A73AB95C385CC7AA0137133,SHA256=3E2E83208659786B0B3677F7EBA95F3CBD18CA48BB65E96AADADA94765791D90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:10.385{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53647-false10.0.1.12-8000- 23542300x80000000000000001449165Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:13.684{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124C398427AA512252E04DE645514989,SHA256=5AA4F9230C35A6BE403CA7F718226930DD4E83BFEA6B4B285524A18E02CDB56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:13.609{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD42F6F7C47613F2AB5A41C92BBD9DF3,SHA256=19827C88344BCF5A357BE2CCCACBAD099EAA32AC021CF7D06E7376CF3734EA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449166Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:14.703{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6930796D4B0F59DC5B36EA7E291A2746,SHA256=9AFAFF8BE0520E894AE2A2A71B38D795FA86AE490E87EF9F77BAAF3119D9C32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:14.624{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14F02691CBD87D76868D4504DBF0D9E9,SHA256=DC064D198BB873A140D7B5BD51F66770AF9633C3F5DCF2975A62BCE695F9BD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:15.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9D4DFA4B93250F2AA72533A8D4A08A,SHA256=E813916F9D0C264D9618C4EA1E5447974D81FC5AC7443C283EC6104E20E0DDF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449167Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:15.734{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9620A15F2923C96BC80FA9B5BA5B97,SHA256=8D6A22D2CB4FD917928C1171610D6A363531A58B3FC7257AD1DEE0131408DDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:16.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6D6AE069FB63A47C47E5B216B97E41,SHA256=2CD41564540BF39A32C2D4E36D96B29CC641D2D2DEBFECC95B1C734F855F0E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449169Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:16.748{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A87FE83750A85AD49EB2CF1011539EF,SHA256=8D3A82F9AACEEF293663C37A967584AC41FC99053CE4CAEC7FB518ABF1D4F8A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449168Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:13.606{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54243-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000394051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:16.307{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53648-false10.0.1.12-8000- 23542300x8000000000000000394050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:17.655{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C088BB898D4D604CC6DBB54BDE725901,SHA256=B07A88DA30956AFA4AC0B5387720FA765180BFD63DD26ABD03B78D8CE4B94A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449170Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:17.762{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA2410545E062491DA1E28816636AE8A,SHA256=03AB553F2DD5A62A10E055C8CA728824F065EC94C743B973F40AB5F4FB185CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449173Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:18.799{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14184555D56D6BE683D9C798D855A8FC,SHA256=D239F27CDF76D337689265AAEC9A2CB895A10A3743BE83FDACC2CC42D645EEF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:18.656{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7322FCDACDF264599D9A81A16AC6B07D,SHA256=EE4D670AA170FC716A640732E6DFA837DD20BA674B292754AB227ED9DAEE30E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449172Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:18.699{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EFBB65823A4AD1D7FBBEC081452C5E36,SHA256=6197AA80B1DFEFADA60BAD5BFC01D578876EF74B63225FB816047497D396E76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449171Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:18.699{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CCBB2F92411A3F26B45EFA89A6BCAC0B,SHA256=CC348359CE66E0CC5586B6E149E02E9D705F87B390290249913A0136B2397C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449174Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:19.829{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9A7205F70EB43C94BD48FBA01400B9,SHA256=1F28D51491942FB3D711E86816EA30F88EB4B56CF89B393976B06C6797CBC258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:19.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5516EAD65DF97D0A5CC03CECAACD5B,SHA256=3F16DDE5683371920FA3EC0E70883B4DD49146A4558C693096176A0A8AAFF1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:20.749{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F27F587166822361D1B4F913A9BE44B,SHA256=43947B9B84C5350A6E1AB3125AE7A3B38721337DE389B5E3D01CB5503B1BD1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449175Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:20.843{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0D2B37EE1F0566D98B720305477527,SHA256=71DA7BF374149780727FDC2867518AB66ED59995CBA5C4889B0368CB9D62BE4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:21.780{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B45FE724213BE459F10DDBDEAA80CB,SHA256=2CC814B2D68AE1B4D5D66D96B7F4EB42D90DB18E90056FD8E76D91C31C018126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449177Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:21.859{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E08D32DDED70289819666A42349A1A5,SHA256=977E03BFA89BAD8938D3F93A83137FF903E39C014EC6AE6759D154FB2CEE68DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449176Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:19.631{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449178Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:22.875{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD60BECC3BB4057ACB12549F921E50CA,SHA256=8D47C6FFC15EE1CA7742EF9DE85ADFAAADB63EF5DDD31C8D6D3AB4EBF60653C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449179Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:23.893{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C374B87FED266EA668854B824448567D,SHA256=661EB76BE18FB384FBC20934C25AAB304BF41BE5D97601D5F1325B6BC9F07BD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:22.291{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53649-false10.0.1.12-8000- 23542300x8000000000000000394056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:23.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F27CDCC2E6725464253992855BA071,SHA256=EA147537A63CF9CD4A1A63EE9C5A2682B2237581FF756B3D1EA3EA796EE8ECAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449180Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:24.924{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF2CC9E90D878FDF19F6C79BCE7E6BD,SHA256=0B42CD0F61029B3D5A1C90F1083AFD9BCD4FAFEE55E7F47992E79C989BFA2800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:24.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A274D074A32C949E497A7A3AC7A5A92,SHA256=4AD59D41B7420912A8F234D6A0F972F734F1979E331525DCC7F5BBA218D0BE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449181Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:25.954{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF60C81816CCE750CBB1A2EC805F9CD,SHA256=206BCF6E0708FC7949E085EFB8C1457E299959E908339C2DF817081A3B93602D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:25.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9C262B25E4F0B0B8A67E1195B371B0,SHA256=697C66929FD6057095249AB9163B78DCD06057A3D9E1AD5EE0FB717D2B8780C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449182Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:26.970{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309F69D37268BFA24F59C0059A5B2B90,SHA256=64FEFCBE8F25B64C2751D3ACE91922093D6A7C00E0E99418BFAF1679E3CEE97E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:26.218{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B1A9839EAA504AE7B33129FE0D90016F,SHA256=B14B27C665DB3B53EABD2CAC22E5676119ECC1AE00B963F089623FA036385612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:26.046{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4084C8D70832CC6BB4469AFA9570A345,SHA256=4C63FA9F9102BFCC4B5F43E6C429C97EE0ED5B427C20301EFD127413F41226DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449184Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:27.989{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BD96DEF985A173104E7FAEEC1F3790,SHA256=15BEE6745EFFE9C6BE59E3C89CA4A1B30EB575D85D95CE490B9F17D4A46AC1F9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000394072Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:05:27.750{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000394071Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:05:27.750{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01376558) 13241300x8000000000000000394070Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:05:27.750{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77196-0x0b0d0f7d) 13241300x8000000000000000394069Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:05:27.750{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719e-0x6cd1777d) 13241300x8000000000000000394068Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:05:27.750{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a6-0xce95df7d) 13241300x8000000000000000394067Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:05:27.750{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000394066Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:05:27.750{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01376558) 13241300x8000000000000000394065Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:05:27.750{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77196-0x0b0d0f7d) 13241300x8000000000000000394064Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:05:27.750{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719e-0x6cd1777d) 13241300x8000000000000000394063Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:05:27.750{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a6-0xce95df7d) 23542300x8000000000000000394062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:27.063{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A10A0809CC2A49FF366793CB8261D4,SHA256=F160627E143C729EC757B4ECDAEE16618AD685EADAA51EF1FF1C24496134AAB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449183Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:25.625{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000394073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:28.094{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029F957A86556B61F930084D586902F9,SHA256=21301BF5B68B166BDA805F49DB8E3E758E8E0D3EC8DC5599808D2356C0D6F4EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:29.219{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF1614258E2B9837151E2BF2AF758BC1,SHA256=47AE6E76ED21580F976D0357A89CFA6618F3C23572821CA94F454E6A98822CB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449187Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:29.950{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449186Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:29.603{D694AEB8-B3E8-60E2-0B00-00000000D301}6565444C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001449185Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:29.019{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB657278F2222C52DF1825EACF15431,SHA256=A2AB3E268EF4669E861417455F8D03A4242FDEDE09313C9C46DBEEDF53586739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449190Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:30.618{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E51E85A8506CC72DCFEC267C29A60D4,SHA256=1D4836027E63B2AA09AF38F99EF1B158BC33F064AFDFA0FA863936F97DF7FC00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449189Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:30.618{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B65AF7554583755D9B8DBD97F110C7C,SHA256=7113886CCBE216E54AF9BD750E781F3C6C1DA0F722A149B4F1B862FD3B67335E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449188Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:30.034{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB76CDFDF030DCF1EDA9C68C06D195D8,SHA256=BA2212F45A97BFC62CD09CF5F523DFABC24A3893C3FAE4EA7B0D174395DF182B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:30.704{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:28.309{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53650-false10.0.1.12-8000- 23542300x8000000000000000394075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:30.219{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7F11AEF863B63B4626B55797D52465,SHA256=C191FD828F6E8DFD83BF35C3D847288A0405DEA3544E3DBE8797A1B487EF6042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:31.235{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BEAA3DA61AB380879C9FB59D8C9175,SHA256=C217786B62D888B6CA2808AC151167462F9577A316644B016A1A3D004A56C07B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449195Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:29.060{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54246-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001449194Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:29.060{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54246-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 10341000x80000000000000001449193Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:31.469{D694AEB8-B3EA-60E2-1600-00000000D301}12962832C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449192Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:31.469{D694AEB8-B3EA-60E2-1600-00000000D301}12962832C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449191Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:31.049{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C854332444973C2E9419C9DACB050A6,SHA256=3362E5B223D38AE7957FE178E3FB1A85BA0795FE571F68A2CE66E764C574F1E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:30.871{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53651-false10.0.1.12-8089- 23542300x8000000000000000394079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:32.250{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB1D4527976BB458873672281342607,SHA256=A7C985C383818E33947B011370F26617ACAEEA494CB5F7AB89D2A2812F5900D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449197Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:29.390{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001449196Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:32.067{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E93B0DD07A9A5E0C5D376AAA7E6E099,SHA256=F0CBB75984CAE3C9F6A044B71B734EFBB004F9D595C3DA7534E960255C3B42F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:33.250{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990C46FA33D0F8ABE7B691B3CC0AF322,SHA256=1E8ADDF99BC41D3DC8C3146972523A97A5790E865719D9ACB5428E8D17758D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449200Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:33.749{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=60F827B76C09FB86C0ACAE82360B218B,SHA256=07673175FEB96BE30FC0FA4BB1D8BD49029A6D69561C064C9D6F0D5532AE4761,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449199Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:31.621{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54248-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449198Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:33.087{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6649F365149AD2063CE3C5537490A167,SHA256=F6A8F1BF646C3C853B944B94396A013561DBADCD4FB9894D2C62571EB7CE7FFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.923{7F1C7D0B-039E-60E3-E309-00000000D401}24803492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.657{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-039E-60E3-E309-00000000D401}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.657{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-039E-60E3-E309-00000000D401}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.657{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-039E-60E3-E309-00000000D401}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.657{7F1C7D0B-039E-60E3-E309-00000000D401}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.266{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD767189C4EEED5F36C0FB3B9B2E8F9,SHA256=70EB32295E72D3D9BB1767C5927ED643B425B6A0C4468990F5A7C58865BC70EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449201Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:34.102{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23E9AEEE1C297588ACC4C323652C136,SHA256=5D14F3B3F434F5C40232ECA96F8CDC2B86736BD477D2B7629E06C79B323885B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.735{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F24B58BA5C0BC4E98810A77FCEB8BA9E,SHA256=4A7933E19BA61CFCFABF46C349FA18B97E088B2B8EA8DF2D3CA0AB40B9179464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.735{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB84A913C1E1210D92120619F0F0350D,SHA256=2595C9FF93470204F08042B805243751B06F00574D91E10203059F3FC856A3D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.657{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-039F-60E3-E509-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.657{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394114Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.657{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-039F-60E3-E509-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394113Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.657{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-039F-60E3-E509-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394112Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.658{7F1C7D0B-039F-60E3-E509-00000000D401}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000394111Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:34.339{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53652-false10.0.1.12-8000- 23542300x8000000000000000394110Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.313{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C46A56410F7F59D14515BFDB5804B10,SHA256=18B73CA9ECC575180DD308F69547894C4DD403226AF3DA8CA943BB5DD9A5EC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449202Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:35.117{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0599309E3419C1F8421A29CFDBB4286B,SHA256=59BA68270A48E13428612A9A4D2A94EF3FD6BFB1ACAA9F79659D03035E159161,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394109Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.157{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-039F-60E3-E409-00000000D401}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394108Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394107Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394106Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394105Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.157{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.157{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-039F-60E3-E409-00000000D401}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.157{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-039F-60E3-E409-00000000D401}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:35.158{7F1C7D0B-039F-60E3-E409-00000000D401}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:36.532{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC303554596096F05CC0885A7595A05,SHA256=02920F6E0D7DBD12461FC8A1F7F2589FFA5342EC4CA792CED654556244839C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449203Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:36.131{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BC2975F78F34854EDB46E73214F7C6,SHA256=542F65E627E032D5F137937B91056BAF75C9C38BA80A044261DA509C153C5201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:37.594{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E509139DD986702A14DB6FE8BE576CD,SHA256=93FCCD8B80AA63594D8F69FFD81E46A7536F35371F2F45567FAF3E00BDD10D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449204Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:37.145{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0A963C4998E48101C7C37F7AECE405,SHA256=7FF1B1D4EF9998BDB4660C6E417E9955A69611840701812A86100480238FD029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:38.594{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84AE7A4BC1EF2BC2D45B72A09606206E,SHA256=1977DF5255DE880119AFA75681791A1EE64C9983985B8070A529A841C1C59B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449205Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:38.163{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B319CA385F99DD33A2D9549CC19DCB,SHA256=6BF2B6898E1A94691114E14C3E2CCCCC6318D5C43ED86B9229AE857D545DEDD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.954{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-03A3-60E3-E709-00000000D401}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.954{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.954{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.954{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.954{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.954{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.954{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.954{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.954{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.954{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.954{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-03A3-60E3-E709-00000000D401}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.954{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-03A3-60E3-E709-00000000D401}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.954{7F1C7D0B-03A3-60E3-E709-00000000D401}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.610{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81B4B7988AD4CA0957EC2120F47AE9E,SHA256=69BB953D9A0AF4CEB84E0776BBD8136E32238F74BD927B27BF8BB878EAFEC271,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449207Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:37.600{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54249-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449206Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:39.182{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020CB62A89DF4BC4F9329CA9C8596BD3,SHA256=3C8C75034253DA6371B4A5DF84A846999F5D169C7881EB315F58A8F4D9710D72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.563{7F1C7D0B-03A3-60E3-E609-00000000D401}15482092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.282{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-03A3-60E3-E609-00000000D401}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.282{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.282{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-03A3-60E3-E609-00000000D401}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.282{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-03A3-60E3-E609-00000000D401}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.282{7F1C7D0B-03A3-60E3-E609-00000000D401}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.798{7F1C7D0B-03A4-60E3-E809-00000000D401}8203332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.625{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2192D7823E2F2A5FBA819DCEFE3727DC,SHA256=88D4C92E0EA542AE532454BAC886DE0606E62927805BD5251F3D73B223684985,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.625{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-03A4-60E3-E809-00000000D401}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.625{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.625{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-03A4-60E3-E809-00000000D401}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.625{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-03A4-60E3-E809-00000000D401}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.627{7F1C7D0B-03A4-60E3-E809-00000000D401}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449208Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:40.197{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447252685DB9E8198F041992B5D7B49C,SHA256=AB75825F87F75387F499B79B0DE7FDCDFEC134D51A80799AD3FB545DCBAD3DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.329{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F24B58BA5C0BC4E98810A77FCEB8BA9E,SHA256=4A7933E19BA61CFCFABF46C349FA18B97E088B2B8EA8DF2D3CA0AB40B9179464,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:40.157{7F1C7D0B-03A3-60E3-E709-00000000D401}35083428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.844{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40382FF17A223FC292A4262B8BCBC7AC,SHA256=884673C84415D55C90C0810E626C1CF8206182342DECF71560A4765146AF6CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.844{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CCC6800F15996BB38023984E9477B05,SHA256=66B6B11FB648B2FED196D046BBF2E938C2BC1D059B9DD0512D210DFAF2A09110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449211Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:41.480{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BDF157675A0D017295E54601AE1EB04,SHA256=834922CEAFAB35A6D9FD0F3F59DD4DA922804EA99C35328CC7CCD0F11209C01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449210Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:41.480{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E51E85A8506CC72DCFEC267C29A60D4,SHA256=1D4836027E63B2AA09AF38F99EF1B158BC33F064AFDFA0FA863936F97DF7FC00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449209Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:41.211{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD41CC7DF7A2AC370F25A8A39433AC03,SHA256=E22E3E76925105E8804FA43BCE104AFEFB2CFCE1416DCFE4AB30688E907A0AAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.297{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-03A5-60E3-E909-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394187Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.297{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394186Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.297{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394185Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.297{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394184Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.297{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394183Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.297{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394182Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.297{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394181Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.297{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394180Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.297{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394179Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.297{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394178Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.297{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-03A5-60E3-E909-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.297{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-03A5-60E3-E909-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.298{7F1C7D0B-03A5-60E3-E909-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000394175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:39.340{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53653-false10.0.1.12-8000- 23542300x8000000000000000394192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:42.985{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B885C2C7AA08CAA6E38CA5BD337749A4,SHA256=EC4CD839C790BC15ACCCA924E0BC3D02AB7082CC6B764F7D09D929E341581EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:42.969{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B355AA25F1F8615B6D96FFDD6C21D50,SHA256=A316A61F9EC3B074CC60EA5C837E25E386828E20BFA7939EB6D9F06DA1340E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449212Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:42.226{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2AC74AB151CF22F52ED8371CF58B94,SHA256=FC257C82C16A62EB6B773DB0F61AC68181824AA41EDAF7420C7E2BA6CA1D41EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:43.985{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5495EA91C28F5D91A7865DBF8284015F,SHA256=67191EEE4A89A14725DFAC7313A87CEB1B7DBED427CDFD46405DF74FD338ACCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449213Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:43.240{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A01574987983A7CD79C5F6A75E268D,SHA256=ADA152A504BBB38A0FB93743CB3A6FC8CF9C8B19C5DA10C0075EE06173CBE94C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:41.045{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-17265-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001449217Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:44.258{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449BD3DA41FE38F359485FA30A567F29,SHA256=7AFA93F121EF482AE4AE457AA4D0AA0E258592B342F7CA83C0DAAF36F039E1DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:44.829{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAC621C741A2C192E3A0A46CB2EBD7A3,SHA256=35A09E672FCE97D234E888BA3DBDB1C1BC7E09C78C5F200D1655EFD4FD8A84F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449216Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:44.124{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001449215Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:44.124{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449214Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:44.124{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF13792e0.TMPMD5=7CC92A355EA66A219E3148903E63F654,SHA256=CDE288AC5D74287BFA2D9257B236405535586530C59E6CD093A4AD9FE7326A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449219Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:45.276{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC30C372FE15098FA6EDE82789AB4E4,SHA256=F392C348338ABA141FE15D027B3C833B5C7485D5D19A4ADAD1D032E426EF711E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:45.079{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7275CAAEE7E5A0C511F628A2BCE3AE8B,SHA256=6866BABB7C670B3932A6D461232328DDB03C2FEE5205C0502A7CC7EE65022B8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449218Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:45.107{D694AEB8-B3EA-60E2-0D00-00000000D301}9166928C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449221Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:46.306{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632892CDE3A76C19E5FAB4F1AC0F271A,SHA256=FA6C5CF86B5359D2384AE9BDEF8F7800EF70DADBBBE6232958E935546035F8E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:44.355{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53654-false10.0.1.12-8000- 354300x8000000000000000394198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:43.356{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-58638-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000394197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:46.110{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B831D6266AFE91AAE11532B4F3A45E,SHA256=1ADDEBF27554E0AF17EDD922937AD54B9097684913FB5F047CC111317EDD3A2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449220Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:43.610{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000394200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:47.141{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D74669F6B9B7F0AC20ED43186EC0145,SHA256=D7267E55C42F15B5817F492948F2DB40670E04F03BF9F69CA27A160BDBDB854A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449222Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:47.336{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476CC6DFD291174A864A937EF82E4C4C,SHA256=9EDB70FAABFBCED0BF431AEEFE03D6733E094273C45BE618BD3FD01BC43CCED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:48.375{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E4A2A86D81B07C1C103E2FD56F5E13,SHA256=6816D69757FA97E990C13B7133F3E5B47F267143D28B0D0A9E6F3FCD71077DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449223Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:48.353{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681FBBFFB42A5C0E723509D446D82619,SHA256=BACCA4930A1DB94966ADE1F1CC2FAE86864E15BEF4D04CD8D3AEE6E48BFA9468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449224Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:49.356{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D80D1B7581FA4528936398774FA16C5,SHA256=AC33DA9ECB0C6DEB246AE78553541BCE948DCE17DA5031FF49A0386312506659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:49.376{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563DBA793B892E0866A3B46CC540DE33,SHA256=1EA62D1FB73F7CC341F4C91636DC3DB95D56A2278D1D046A9AEFC64223B5905F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449225Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:50.370{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99478A73ECCFE11CD88F5ED08EA7C65,SHA256=A9C3DF3F16FB692C63403AB02213247EDF2F14097C0B955AB9AC26A4286F284B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:50.391{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CC5F58A194EB97B21B060ACEC1F709,SHA256=D8EE7FFA1CDD8EDB496C53B7037B74956A6C766539142484A70BC481004BC2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449226Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:51.385{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95394555E7EEFAEA603049421F650832,SHA256=0DC48DC8983CC19EC88C140453199BE5B73C458B2DFD85924507F0CF411AE1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:51.407{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1E0FF799E9FE083B0EFBAE3F479996,SHA256=6CB080DD42D2431F252CB8CFE3FF9497D6205B1179805FE021C4969DFC90E733,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:49.371{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53655-false10.0.1.12-8000- 23542300x8000000000000000394206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:52.422{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C794E6A8E4A06B74385BFA8A47653CA1,SHA256=D85948C228352ED56B5127F95DF75FB4692358598D7D097416D17DDACE1402B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449228Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:52.415{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC1FB0922512BF17981A77A7BF19FF4,SHA256=04DE97A5D70787927C8F36ABD648DAD062296B8B0C3C256622DF10DEC62A4554,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449227Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:49.626{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449229Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:53.448{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04722D9D6B86DA4231947D515BD397DF,SHA256=C57D55EAC1F3D1BD7493B3F0014ED6DF65B953353D7CC6F26CCB39AD5ED41C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:53.422{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB08DB463BC4596ED61ECF09F2374240,SHA256=5C902BDEC08EA6906C210ABAD921D026B6C61D73FFEC90340424C77F736C5654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449230Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:54.467{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4EF0D51CC02A01CEFD153FB391E4C4,SHA256=583645CB9493FDE59548757B1EBF4252B2DB4CC8293CD5C1510DD06E09919039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:54.438{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B153BEF1343205C3930E58A546D040E,SHA256=28AE5E9082560A14C19B1801C12A6FFEF66660C3D8DF8341EE9EF34AE06602F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449231Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:55.482{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93823E12773C65AC2723D5B7C0E38478,SHA256=EDBAA83C9656A6FBB7EA048C77C7F05F8E1189139EE13ED1B44FC49A1038699D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:55.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE175A73B6F9600587B14807765CF33B,SHA256=9DA8A8D57A91C4EB445BFF695E64212B76D9BF80D7F7C63A152BCBAB074D81F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449232Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:56.497{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C402ADBEAB4F3B3FB217BE6A6690787,SHA256=CF6963EA8166EC7C103B724269697057BB1445F2B0CE25D78987B87924569300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:56.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF006FC6F644D4E23E0FFB55433B20DE,SHA256=D2FCFB0DA1791DCEBB2C1FBB1606D6033F4AE0988B094DA5498D7CB468A1F704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449233Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:57.511{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53068678BEA19397B8CF9C5624EEA32F,SHA256=2C65DC3DFADB26D0B5EC1F907F7F517C4F148C35F12269D21CD62495946489F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:57.454{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D4E4B8AFB4C828DFD51BF9B4442E8B,SHA256=7CCB0ED9B3BDAB0D59FEB134D9C516BBCC47AF52AD8D34B510637D14F4C98AF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:55.387{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53656-false10.0.1.12-8000- 23542300x80000000000000001449235Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:58.526{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C17D3019077B583EF1AF31C937D5CA9,SHA256=9A11BE3FBE1C93ECF02193914A53ED5BF0C6E6D25D27FC2B04CF6882CBBCDF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:58.469{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF790975258BE73B8AB58CA22B0A270E,SHA256=18A09980CDE90C1AAF695AB2756AE9826116EABB84ADF951E7195A1525DE6D74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449234Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:55.600{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000394214Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:05:59.500{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFAB03F881EDB1A8AA36D3B0268356BC,SHA256=11868905EF23AE6A1EBCAAEC26C510AD72D4810C520F774B2ABF4B2C526ED981,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449253Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.865{D694AEB8-03B7-60E3-750A-00000000D301}52603568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449252Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.678{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03B7-60E3-750A-00000000D301}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449251Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.678{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449250Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.678{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449249Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.678{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449248Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.678{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449247Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.678{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-03B7-60E3-750A-00000000D301}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449246Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.678{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03B7-60E3-750A-00000000D301}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449245Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.680{D694AEB8-03B7-60E3-750A-00000000D301}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449244Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.546{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EA05043A6A407F72F131D5004DF76E,SHA256=C4AF78BD953E9787D23FD53E176BC1851A205587D9DBB5450A494151B1BAEB71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449243Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.178{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03B7-60E3-740A-00000000D301}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449242Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.178{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449241Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.178{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449240Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.178{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449239Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.178{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449238Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.178{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-03B7-60E3-740A-00000000D301}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449237Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.178{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03B7-60E3-740A-00000000D301}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449236Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:05:59.179{D694AEB8-03B7-60E3-740A-00000000D301}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394215Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:00.532{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEFA912252DCC5DACA7F43451BAA9C85,SHA256=27CD6BF6558B77E6D510C839FDF25E2AD88E308AD6FCC568718E6BCADBDC90CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449264Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:00.597{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFC5DB24150BDB8376C63460A033BF8,SHA256=469504C8E669AB95FBF52391E0B6EFBE3775A09829A9A5448FEAA7145DAB213F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449263Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:00.280{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03B8-60E3-760A-00000000D301}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449262Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:00.280{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449261Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:00.280{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449260Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:00.280{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449259Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:00.280{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449258Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:00.280{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-03B8-60E3-760A-00000000D301}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449257Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:00.280{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03B8-60E3-760A-00000000D301}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449256Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:00.281{D694AEB8-03B8-60E3-760A-00000000D301}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449255Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:00.212{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABB61E6C5847B785466E24B322DA1964,SHA256=84589DC1118986EB464FBED0A70A9053CFDB8C3240C1C3433E1C450FC0E9A7B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449254Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:00.212{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BDF157675A0D017295E54601AE1EB04,SHA256=834922CEAFAB35A6D9FD0F3F59DD4DA922804EA99C35328CC7CCD0F11209C01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394216Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:01.563{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7F44D69D463412D43D0C6D87B054E8,SHA256=93C1645F9A3EEB9B64B56DE09D03F80A35573CA51B9BCF49195451CD80FD32D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449266Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:01.645{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABB3C4A8AC3F6FC56E57A189F2ED2EE,SHA256=B3E3911A84A2F6753BC95F19AA341619CAEB32595F20B12306E555FD63D13E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449265Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:01.296{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABB61E6C5847B785466E24B322DA1964,SHA256=84589DC1118986EB464FBED0A70A9053CFDB8C3240C1C3433E1C450FC0E9A7B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449275Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:02.894{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03BA-60E3-770A-00000000D301}472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449274Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:02.894{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449273Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:02.894{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449272Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:02.894{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449271Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:02.894{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449270Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:02.894{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-03BA-60E3-770A-00000000D301}472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449269Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:02.894{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03BA-60E3-770A-00000000D301}472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449268Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:02.895{D694AEB8-03BA-60E3-770A-00000000D301}472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449267Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:02.663{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927C92EF6F43F12C649DA07EDD0D4FAB,SHA256=62E7306F1D6540DB7DCE3BD3C174419A7D449704118F6012FD2740CB7BCCBB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394217Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:02.594{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBEE7E02E6FA6F248094497BDB01941,SHA256=A668C0F7BC2DE4E37B08310518265229F2D11D4DA88228A015158FB2DCA9E846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.909{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17C0A3285EB5958B1A5A5BB0205A31B8,SHA256=11B382CD40D7A2BC3BDD23BA615B98EACE2DB23668ACA0DCB9143A926D91E056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.725{D694AEB8-03BB-60E3-780A-00000000D301}65245804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.678{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131B60E61C443367C9E35BF15803C8A8,SHA256=95EE8215A3EBCF16CEA7068B2A8834742759C81AD138BC705873BC9F886546AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394218Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:03.625{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852BD96CA4614D435AC1BCEDB607ACB9,SHA256=EF629A2ECCF94F527DFE24F26F11DFE5ABF0F28C14461ED197E74B9F60E7EF41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.578{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03BB-60E3-780A-00000000D301}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.578{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.578{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.578{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449281Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.578{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449280Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.578{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-03BB-60E3-780A-00000000D301}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449279Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.578{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03BB-60E3-780A-00000000D301}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449278Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.579{D694AEB8-03BB-60E3-780A-00000000D301}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001449277Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:01.598{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001449276Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.047{D694AEB8-03BA-60E3-770A-00000000D301}4724900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394220Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:04.657{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD58DDE67C6E810AB8FD6F2FB9C36EFA,SHA256=A983094684B8DCEB7ECF2CCE166E71820454A0AC1477C58DD693FBFB6F1AC2FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.923{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03BC-60E3-7A0A-00000000D301}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.923{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.923{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.923{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.923{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.923{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-03BC-60E3-7A0A-00000000D301}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.923{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03BC-60E3-7A0A-00000000D301}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.924{D694AEB8-03BC-60E3-7A0A-00000000D301}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.692{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08EFB387C0EDADA8B3EBCD7AF7B87BF,SHA256=C3F909B8DE419A4CE70A674949C673B082504E37DBA273FA6A8BC5AC560FEF44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.245{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03BC-60E3-790A-00000000D301}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.243{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.243{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.243{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.243{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.243{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-03BC-60E3-790A-00000000D301}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.242{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03BC-60E3-790A-00000000D301}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:04.241{D694AEB8-03BC-60E3-790A-00000000D301}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000394219Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:01.402{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53657-false10.0.1.12-8000- 23542300x8000000000000000394221Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:05.735{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53B85E4570B23FC3746C27B38C029A2,SHA256=9CDD3D956229ED5818E099BAD9F42175225E1DDC841ACE46C92C1D7A89D1B7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.776{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AA61F847E7F804B09A882295A5234A,SHA256=D486ECE1DA6BAD2BBEB13EE8915FF8462E4FBF459CC729B6D998C29A754DD889,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.096{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54254-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001449341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:03.096{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54254-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001449340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.342{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=891B8FF8F907C7E508BE1892B9150E01,SHA256=5A05FE88C4B3D8EADCE4DF1B02F6649230F55008BB5A6F20EC9C24C33B3D3B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.108{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:05.092{D694AEB8-03BC-60E3-7A0A-00000000D301}65446212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394222Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:06.763{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F57248768C293B72F41764561AE2CF7,SHA256=D53EC141CFB45C94A329ECF693CE8C9C63F1BE6CFFF2CCE3359E2D0D50192665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:06.790{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA6DC7F487125322EB0FE0B7A0D996D,SHA256=FEEC6CF2D130923CFAAE6E06A49D0AF0E6B7B86042FD6945B38007E87B1F02D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:07.806{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C757297558845315FD4624CD8F93B5,SHA256=DBB4D76F4B3996D85226F6F2030B4474343C102EFA600375165AC04F9B248D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394223Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:07.781{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1011151A4B1762F6F32C36AE3570E5A5,SHA256=8BF33237F0594BB1BD790C33AD944D22AEB790E1DE21DDB1328DC215F46924D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:08.820{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95848C426EE26980664DFCD1CBC6AAE,SHA256=DD4E091EA2F4AB468F28AC9D528B47234967926C99626211BBF64235CC9CD904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:08.796{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EDEE92941131994FDF5861FC48B4314,SHA256=3B32AC2817DD4DC024062086D3D6D401B36E720F99C8032B1EF6C3BFD84F881F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:09.838{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F316678143BAF8DDE3F76D9F3F2C5C1,SHA256=729D7AC3230F17EC9ECE9B30A0C23872AA925A1C274F7E03ECD481FC641BE7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:09.796{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6139F03383B0F9621595D2CB49B8FA,SHA256=C81A7F58E7B93A2D69465277F8A51695DD53CB7E90B78319876F6B1F12D9DEF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:06.614{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000394225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:07.354{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53658-false10.0.1.12-8000- 23542300x8000000000000000394227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:10.796{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4FFCCB65E139788B334B87C47967BD,SHA256=DC372B874898645477A42804772B96A0E251A89D5DADC3BE73D2BB3487D83BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:10.888{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE1BD1E653150A095371E3C66A42778,SHA256=14C11B3A1EDE0F8FB2483FF2CB07C2F306FAA2233CBF88294966EF5A1153813B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:11.918{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86A1441B74879474937FE9FD45A8FD2,SHA256=E20753CBA30B8052138A674912FC45A68E5DFA3C61160FD2E55FB147A976C7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:11.796{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B8F2EB1C781DD913088FDD1D48DCC6,SHA256=2F24B3C39AAAB88A922ECDBB3C588CBB866CE8858B5511D1B9954B222AD21C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:12.935{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F3D361C38C504538589E5919E2769D,SHA256=C22F5EF4842FDB4DEBA5C79CD4495C6A84EB016947B40AE8894AFDF273032233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:12.812{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F64163B01A90AAC09F2966D2E071449,SHA256=6DCB8082197FA7B50AFA75B12AAA0F33CA84A5920A791A0E45F53AAF03E9B88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:13.937{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11D494B74DFA459D749FD68DBA2477C,SHA256=E84224A5A52A4012814CBCD6AF9CCA35CC7C5B4D14A9FFA91804A5FF3EE1AC60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:13.812{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EE0F5856109A467BFC92B4EA85299F,SHA256=EF3D277C464DB0DA036D20D1D18D27B63E08001448B00931DF94CE62E0DD7B61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:12.355{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53659-false10.0.1.12-8000- 23542300x80000000000000001449354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:14.952{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D251AC05B1700D341D1958A16762628A,SHA256=D439F1BC3FB25A9C38773746C46FAAD299D77F8C8EB329A0F29566EB14D37F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:14.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EEA4A17E8D8FC260CE257000C2E17C,SHA256=01D805F25A5EFD7F5A59D43F649ED34E444D5C118033B14AD87D23344F9EE7DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:12.641{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54256-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:15.966{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049F5CAB391C50C8F0BC38990B42C25F,SHA256=E1CEEEFB7574DCA9E4E7C8ACA343DFC6E2324E7F27D91DCAD9C6D93730643291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:15.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EAD4F0A1ADA9C0C5CD1092C407689B8,SHA256=D3F8BB5B77E9685A3B5951771C3B7328B0C5CF980461EB92B26B480EE303C592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:16.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F794F8E93F9D3556B752C7C9DB4718,SHA256=24D1242DCF02EF54AB1CB41EAE4831BAAC9AF4DD4CDF7CF889DD5091D2CA178B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:16.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF34FB98CC1E1353DB5BC41887824F7,SHA256=5B32A99F7AF58D3109B2CEE46DAB10AEA2E32C669BF0521E194DF6F8A806DB76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:17.996{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82E6F4964FA8B537A8D22026B0AC9EB,SHA256=4BB3C0F32BBB90201F4E4040B5B9EFCBA262A4B3459E94608BCB6FF2B1289181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:17.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142C2AF0FD65612D71081AA03CCFF046,SHA256=8B09535AEE34D53169C9A3F7CA680BD7BA637FB5DFBAE5A3A981A838B2B2BDFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:18.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14DF6DCE05C3296716035E35A85E9CF2,SHA256=9BEEA708C18B4888145AA8FB8B476EA459F398E97A18ACB2729D096A3DDE2370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:19.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDEC3B9F22F992E54DA4F94F7B42BAD,SHA256=948F203EF1CEFEAC0A4DB6970655668EDFD7206399B6115B660FA88D55EE69E1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001449362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:06:19.962{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001449361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:06:19.962{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001449360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:06:19.962{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 354300x80000000000000001449359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:17.651{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:19.010{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8297F08ADBD154E1F329C6BF0F75714,SHA256=9B5BBB0C47BCE7FF0594340E10241DD0D1CA7E9D33D3254445EF25C89A0D443B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:18.276{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53660-false10.0.1.12-8000- 23542300x8000000000000000394239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:20.827{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC2E05C889F25243359878E77A2C739,SHA256=7911B3C3F9F9A0FB5864FDD6E3EB116DE2D5E342D29025ABA5A2C4D5210FF225,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:20.861{D694AEB8-B3E8-60E2-0B00-00000000D301}6565876C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001449363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:20.028{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBBC604118A078E8CD57C60E8621A24,SHA256=9A6CA1B8A20F396D49C6822C8CAD3453930088B93F1CFF76FDFD34E59BD9B24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:21.828{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D816D23B98ABCB12C51D1B7D6B7AE5,SHA256=E460516DD5EBB3C5E99BB87EB9B1BC059075A772FC9A1E6396861BB046A11A13,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:20.211{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local54262-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001449376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:20.211{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54262-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001449375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:20.205{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54261-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001449374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:20.205{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54261-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001449373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:19.439{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54260-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001449372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:19.439{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54260-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 23542300x80000000000000001449371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:21.046{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD61DF8CE0F06394A23A1987AF08725F,SHA256=6E301F78F6FAD850E5990DB0C6BD93CB032FB838F0D4913F05B0868EDF4BD33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:21.030{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE4A4245D9C93400BDBD50F7EE9BA341,SHA256=E4A435834B311F131EF3A3A135820545FA6CF3D916C3F7F0BF370832AECFD055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:21.030{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9C1BCB3F661D652A4A7D6B2B7669C05,SHA256=51B22B1B032E9075B80BB2CA7948A101BF21126C443A9511301BC7C5268F43B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:19.432{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54259-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001449367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:19.432{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54259-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001449366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:19.419{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54258-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001449365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:19.419{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54258-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x8000000000000000394241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:22.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E81C3C7CA1440C36BDDED907957174E6,SHA256=A03CB1630BEFD9FA2C347D739A56488EF12EDEF8B0EB898A9047A5E0C84273E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:22.060{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8E0C793EC2B4E06EBDC783AFE35DE6,SHA256=D2FCE77EE2A1879F1F2803D320C800F5CF12C333B9CF13559DB17B8EFAB99630,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:20.320{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54263-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001449378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:20.320{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54263-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 23542300x8000000000000000394242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:23.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E122F512AA83A74DD7ED654731D96A,SHA256=4AE095B86837BE40A2F55E94A2E4E2233533F30A8BBB25DF602E2E0B056DA97E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:23.074{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939BB45F9E74D09BF789E345DFAD5746,SHA256=BCEFAA8041AE49197D06F64002D7E393F538C5B8938608C1BC8653B24CDC52D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:24.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6664EF2964DD7FC859093CEC280A7C8,SHA256=695BC429E187D6AD19263A6CB22989895860B1C8034C5EE30B75F97DA3ED75FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:24.122{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73611B52AFC2F04557F4D4C2A6B5007,SHA256=7EF613A86BE5680C288202085FA734E8A9D0B6C5CDAD5DF32D4557696CE0BA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:25.874{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2022A086C52218BE4EB763FD5E878B,SHA256=262B4AFD0BE3C12B8981361E7C7305A0A45158014D1E2CFF56F868ED739D9A01,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:23.676{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54264-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:25.140{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3462F03D92427B3510B6F883053729A,SHA256=8E806344E2E27AE7FC0E31CE2B5B83BE46710F8AF334F7C10F8A41A24D111209,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:24.292{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53661-false10.0.1.12-8000- 23542300x8000000000000000394246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:26.874{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DDE380229613A1E937BA3EA4AEF86F,SHA256=097059DE85005E1721F0FD7332D3DF61ECC3A4A150A47FDBFCE2BFD06C97DCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:26.218{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=26FCF901F3DC63A71664A5D99696CD09,SHA256=0FED4A4707BE3BF8E3551B5392C8D72564F26A6B9926AF038504A9C19CDF6F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:26.156{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DED406A2413E2B856C7AA2E21269A8,SHA256=EAF47F09A7CDD87585094AD3F9E9FDECFF8BC065B99209543CFCDF30E333234D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:27.874{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF16BB5154E4F00046D89426823C677,SHA256=1F8DDB4D1AF4B075F573228859D00D65CC575B2988D4A7233B2F18A3FE99BCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:27.170{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE78BB38FF2B3A026228B27C00017F06,SHA256=E3C7700D543C4364B36234D7277D920DB3FEE6F8376ED3CF799ACEDB7BC85A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:28.937{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504ACFC2E41730E5383E1F6A8950041E,SHA256=8318F48A089E8F4A396F67DB77986C9FD021328C6641885B3CFB500BFF920E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:28.201{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD04E96AA563B80E0F5DD170E6336C0,SHA256=BFC1CE31E87B71AB2CA50F05E7A644A4C9B17CD18046531799CED6348C56FCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:29.967{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:29.218{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0047B8D1F0C52871E2414A30197CCE4,SHA256=3651A8626151083C33F141FF345A8AEC266B48A4352B6536804D667C92707B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:30.251{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F39D05FA9641A27C40959FF3E6F5F9,SHA256=4B06DFE37BB7CE6F76E8F1281217DDE852260AE8BDE8F1CE593FA9FAD0DDA3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:30.734{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:30.000{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D076714FFACAFA5FBE016AE737073D2E,SHA256=5FCF9D6D1269A72A08E89511804855B5EF256FE1E00AB1F385409B092369F091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:31.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455A3586EA7A5954DB042BCB26B165A2,SHA256=F452D8DEC30EC49A4C76D09A5472CAD6BA078A775777A0BD62A41808FB2EB2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:31.281{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C361108F298ABE74E0DDE48950FDDA,SHA256=6ACD722849B4495A72B49A43888E5AA4410F4644C6274AA3E95888F592FA5237,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:28.692{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000394255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:30.902{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53663-false10.0.1.12-8089- 354300x8000000000000000394254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:30.261{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53662-false10.0.1.12-8000- 23542300x8000000000000000394253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:32.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC57FCE0292311D1CF8E43B88486050,SHA256=2F91E7032E1FDB4540A9A7B899FC5FFDD5D66B31BB6A5676990B1A9D184DDBBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:32.314{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A98423F48A9A81723781F63811BD07,SHA256=2C6030209E4F57F6D70FF6C939740AC1DE4E04E32CDD33758AC1EB3666B07AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:32.280{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A72D7D7EFD4582A1991AA95BA5E7E84,SHA256=02C823FCBA940CDD746425D1EE480C3B86FD19EBE4CD09BE026B39F222F1F38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:32.280{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE4A4245D9C93400BDBD50F7EE9BA341,SHA256=E4A435834B311F131EF3A3A135820545FA6CF3D916C3F7F0BF370832AECFD055,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:30.217{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-26946-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 354300x80000000000000001449393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:29.407{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000394256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:33.171{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A041C387F10D3543659D626B6417751C,SHA256=AC6EBFE5B623D9BD0B45BB467079AC31EAD55BD388165C840481C0B9B5F574AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:33.763{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=41A1A14A5CF2AF0D2AB4FDBE9E2209FC,SHA256=C4D4ECE5E27F6ABED6F1629B6940014DB7BCF140263807AAC5530DC3A3661320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:33.347{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B7C0334D3DE52F9CDCCA5FD6F33E4D,SHA256=4CA30BD43E0CAD51BCE620DCEE9E752D70F515F06D76EC09D9C1730A62F202B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:34.362{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCC6AB6B9D30083DACEF3D0C87EE4D5,SHA256=F3AD779E75D0AF88075E9977B5362A0D4408D4F169E1C0BA4D116F2005C6DB42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.828{7F1C7D0B-03DA-60E3-EA09-00000000D401}33563496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.671{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-03DA-60E3-EA09-00000000D401}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.671{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.671{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.671{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.671{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.671{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.671{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.671{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.671{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.671{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.671{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-03DA-60E3-EA09-00000000D401}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.671{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-03DA-60E3-EA09-00000000D401}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.672{7F1C7D0B-03DA-60E3-EA09-00000000D401}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:34.296{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F37C378857578F1DD1BB629BB5D64AA,SHA256=978F6B70048D8DF30FA8BFC3FB676079754EA3DD608F358862D54AA52DF14E50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.843{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-03DB-60E3-EC09-00000000D401}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.843{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-03DB-60E3-EC09-00000000D401}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.843{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-03DB-60E3-EC09-00000000D401}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.844{7F1C7D0B-03DB-60E3-EC09-00000000D401}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.702{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CC36FD315D98E3390AE43848AB00A7B,SHA256=AA66508BBC43797EA2944FB46243E6F9B197697171D59512F28FB295F9156A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.702{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CFE6C6C9CD903F09C715498DA7BB8DF,SHA256=BE61926D1096ED7E3FBC69E5F346B78EDD9483AC848B876BFF55885C508ED769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.421{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF7AFAD5AB0C4F6BC3CAA700428B508,SHA256=365605BD684AD8A1979F3875B4E71F2EF93A105CE5DC751839B348B121F0E372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:35.377{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6FE3D1D11E9179E55EA3344FA4D6BE,SHA256=4439442254A8E509E33FBF71FE41A428B7C3BFAE5CD535F928C48DF93DA10C39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.343{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-03DB-60E3-EB09-00000000D401}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.343{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.343{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-03DB-60E3-EB09-00000000D401}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.343{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-03DB-60E3-EB09-00000000D401}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.344{7F1C7D0B-03DB-60E3-EB09-00000000D401}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:36.859{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CC36FD315D98E3390AE43848AB00A7B,SHA256=AA66508BBC43797EA2944FB46243E6F9B197697171D59512F28FB295F9156A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:36.515{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDF21CBE9AD0EA29176E8FAA18FDFAA,SHA256=842BEB09D668D7EEC64EBE77F7213B3157D1D8822C9DA8F50D10E86A0674D0D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:36.392{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C848F4D6601C9CC5B7A7EDF9B48D41A,SHA256=8B7B54D40984C7DEECAAD28053BBA3A6BFA70F895BDC2899B73303809EE6AC0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:35.277{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53664-false10.0.1.12-8000- 23542300x8000000000000000394303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:37.547{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3731AB6E594BBF4B2354DBC6CA2D3B60,SHA256=7AE46BF21CFD45C7FB7FB11D6D06D804518FD90EBC06D98DACD70AFA4DB62F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:37.409{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7921122E9727BD951704828C67A043,SHA256=B7C10C7F4A70B304D63DD7B426D50990DB207BF00270E2F560A16421C2383C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:38.609{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4836C0EE834A0E097F03F180D7B1166A,SHA256=FF6AEE5C1F758E7208A2F835E8434AA9FDDCBAD15892572EB6DC62B692B46505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:38.443{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E701885E473380A6D085BB77BDA8DE,SHA256=52CC5ED1A18F58FD2676976180A509C442BA61181B34A9A4745AE077929A7CDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:34.686{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:39.443{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D730B1C361257F95140EFD69017162EE,SHA256=153D36CD783985B8490FEDC23A3A9D9DFC7D59E2B4B0F78077DC18330C8659E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.827{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-03DF-60E3-EE09-00000000D401}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394328Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394327Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394326Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394325Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394324Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.827{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394323Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.827{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-03DF-60E3-EE09-00000000D401}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394322Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.827{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-03DF-60E3-EE09-00000000D401}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394321Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.829{7F1C7D0B-03DF-60E3-EE09-00000000D401}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394320Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.609{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB578BA41B78E5715D6090D47F06E4A1,SHA256=BFA0D5C78B54F7627A7C652988E27D5063671D6BD1A42CDFED4CDFDECD15BB16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394319Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.468{7F1C7D0B-03DF-60E3-ED09-00000000D401}3684824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.281{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-03DF-60E3-ED09-00000000D401}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394315Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.281{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-03DF-60E3-ED09-00000000D401}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.281{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-03DF-60E3-ED09-00000000D401}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:39.282{7F1C7D0B-03DF-60E3-ED09-00000000D401}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394363Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.843{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-03E0-60E3-F009-00000000D401}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394362Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394361Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394360Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394359Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394358Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394357Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394356Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394355Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394354Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.843{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394353Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.843{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-03E0-60E3-F009-00000000D401}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394352Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.843{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-03E0-60E3-F009-00000000D401}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394351Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.844{7F1C7D0B-03E0-60E3-F009-00000000D401}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394350Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.671{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFB0D9CDFDBAC9924AE085E1C704302,SHA256=DBA378CCC0F8F74CA2E7E8B20E3DB2B715B3C11F47209D67929F8AA9215ED2C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:40.473{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D3199EE1F9869DF5C9524E55EB32F2,SHA256=34658181FD85F909D7C614FF4BD53F53B33AE3C8937D81F0DB8919A39DE7900C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394349Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.562{7F1C7D0B-03E0-60E3-EF09-00000000D401}3740584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394348Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-03E0-60E3-EF09-00000000D401}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394347Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394346Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394345Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394344Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394343Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394342Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394341Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394340Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394339Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394338Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-03E0-60E3-EF09-00000000D401}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000394337Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BF0911C7A1D775AC812BAEA9945E84C,SHA256=5046F85255F2D6AD63F137E9B63B9430AEF360B37D8E6D086F7DB84D0AD6BFDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394336Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-03E0-60E3-EF09-00000000D401}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394335Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.328{7F1C7D0B-03E0-60E3-EF09-00000000D401}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394334Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.109{7F1C7D0B-03DF-60E3-EE09-00000000D401}10682912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394366Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:41.874{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17EA7B454D52B34C56DCD9DFC53DBA50,SHA256=FADCEFF9E5025450DE94551BD3AFBBBB9D61316142EB854142472A1784ABF5AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394365Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:40.277{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53665-false10.0.1.12-8000- 23542300x80000000000000001449408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:41.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26EA5E7C687EAE10787EBD7E357039B,SHA256=399EBA5C25A7B6091BF3904571C65A33427815C223F2C330F01DADC49ADF6F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394364Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:41.437{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ADA9EA86204DA5AD763981C70F5038C,SHA256=2F4385FAFFB8954342DB6374DB01EE9DFF2F5D089503F96D216BF5279C929B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394367Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:42.874{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8427498FC8770E1C071F2F5C09167C,SHA256=D3F92E7F8F40AE0F4F1FB79D7A6F25E41B11030A3A014B9FDD5576D87AD3CDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:42.571{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA5E78A7D46DADABE6B880977576B2D,SHA256=ABAF609A2C76BE1F461ACE38854AE7AA09E616D02DCF68C5578365F908C397FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:40.513{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000394368Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:43.890{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3842BE70A6DDBE620AA2176E764FDCF,SHA256=61474C2E8D5190D902A0E7744C18D1F0255D3E1C4CD948D25075C07B83BEFC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:43.586{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA14627C080C62B5DB5404DA6E0BFBA,SHA256=E7D1C113149FD05B130A3C18825FAF83DC7BACD8916E80A48B709C3EC7A9EA50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:44.603{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2CF93EC3BF460EA7A49CD38BA86871,SHA256=C8F7696DC236EC7F6CAD35E5D00AF236DAD6093B72DD0472ED87D2859E5DFE24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394369Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:44.906{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A720C70CF4E506A55D8CBF12103F30B,SHA256=9511635B336DF83676B95E41F4DBD7B813545D5A88385FC8A53B330E88686D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:44.085{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\aborted-session-pingMD5=5AC077ECAD637E2EF1B061BD7ABCABE1,SHA256=0A1517A442142D29B0CBD04F41A2C0559987530E9663A5229199204674B72D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:45.621{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3232DBC56EB6EBE00CC225A6D6DA225,SHA256=2BF5FC08D174B9C1306F3B40121E424E89B3B61438B085A05147603F4870CCCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394372Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:44.169{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-61039-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000394371Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:45.906{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DF6BAC23C4D7BF6E9DC4518F06D039,SHA256=EE7E4D97A70584F6ABD10914C736C0799023016D233AD694F9A016F961FDA9CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394370Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:45.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=315DB93199C2A64823ACFE1C5F4DBE7E,SHA256=25E65127D883723593C6D3C80A9C86ED004C906A0FF5E37B9DE47DFF2F857400,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394374Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:45.308{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53666-false10.0.1.12-8000- 23542300x8000000000000000394373Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:46.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54B6D1EA41229C6BA92700607500E79,SHA256=F4D0930D6CE854F1C7E9BB9AA7EFD143C2E06159477CAB0B1714F9EBE6DEF3B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:46.666{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8887A989037297146F9F36C9272A4677,SHA256=8D0FB3C044D6CB672A537D9EBDD2F3C902F8CCDCF6DB572A62D6C700147BAD3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394375Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:47.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CC5DCA1F5F81CF067060B5DD623873,SHA256=936B0724518C2B41BC1375158F7E86897323FA9564A83C3A817C43B6FBA0E49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:47.699{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CDB82C9121387511AA6E60D7A5DEC4A,SHA256=BDAEE64283F4059A316498F5B4C6883F7F74692B5D75AA6BCC0EDA7680521169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:48.717{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD6188CF3E4D164264702EA5C65CD13,SHA256=7C03CA94D3E60A912650CE2C0BD0C23F41CA1442A1F4E558E03CEE00B7C1C57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394376Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:48.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7322BFA90EC10CB880B8C13969970BA4,SHA256=AD2781B778979975217180AD1477B83A3DACE2FF2633CF7FFAD4964A045AC172,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:46.537{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:49.732{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F9BF8DA04674261BEB0880F79EE170,SHA256=3F61309D98D6CA419DDD436C9B1E0C49184CE8E29228F9506967588CE38E3979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394377Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:49.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51922A72AFB4B359EBA56E5506D11282,SHA256=ADD45CBC54B3A077D208BB88038967A8DC1AEF378AF6FDB01513AAE7DAFCDCBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394378Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:50.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD4894BC51C58DBF9DB49CC23D7B599,SHA256=CEB296C04CD5129DA9EBB63FFCA9FDA1C2CD81B5F2484994E61588684D19F3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:50.747{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CD48D80BEE3A6DDD6F1D098A425C32,SHA256=6B90AED841E38E4A60C2B5FF40DEFD2CC10F5AD806E959FCE6D83FB0206DD1F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394379Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:51.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E23B07F08ACA7C80300CAC51378B8829,SHA256=01B79823BA37B5B5C5159C24506AC1273E907EFC57DAE936AF52E06E7F4E7F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:51.763{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C486E3E1B0AFB9AC607F593732A93D95,SHA256=9E890402FC7F03257D3E76E0A7B62DB4E7F799916ABDB2E5DD20804FE7F64372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394380Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:52.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29984FD98846EEC172D9A009ED909169,SHA256=C3A039D17AA952B078DE1F1317D513087D59E469C9551B9CAAC1656B4E950DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:52.777{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CFBAE0012F925B80A3ED9827B6D989,SHA256=7164B6FCA914F93493A67AD5357B71B9EE1EEA424755909E0BB616F97D831057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394382Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:53.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11607AF169CA1ABD79DE8EF22F93A8DD,SHA256=8C86104F433EF7C10D2AF9486CB6F9FA9B1C770F6A41AC3CBFDEEDB0C3DD4877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:53.798{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CAA91CB09192507B60DFBC6E2D37DF,SHA256=C792BE472D27FAF15E552B7739430AFE85AA6322555055AD1B248AB4F9CF7EEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394381Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:51.277{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53667-false10.0.1.12-8000- 23542300x8000000000000000394383Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:54.921{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BF82BE7D98B149397E8208B22FD5DE,SHA256=9D9EB37BA86E0A899A6E6762AD3A14AFA9004CC2F9ED680C18C7CFB0740A83FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:54.812{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1AA77F3D17E5918DB9FE08EF339F1EF,SHA256=8F3A575F204891DFEBE7E2535E9F31DFF9546E9BD680729CE3D0B9C3E29F93B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:52.570{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000394384Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:55.984{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32507FFEAE659E427E6592E2191948EF,SHA256=5333CCBA67023064A01EFBA3FB70BF905D56287DB620DD174836C7DE081394DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:55.827{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E70AFD89424B1392F6A91082D9A92B,SHA256=A4136082146908691B13080DD31D2E0D1EF423CDEBEFAC748EBA25E9F554DC42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:56.841{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E133734701C370704D80FE77B1790E,SHA256=EB5D9FAD94F74D6F43CD375E30A29E9D65FEDB8AA8F96E80293A5F7F342EE67E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:57.856{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B47A52239B2E21556B548C3FCFF175,SHA256=D501146A961CFC9271CF9E6BA14EEA8A208D2CE97DA79EF8BF0BED3189C8E447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394385Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:57.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3895AE64F6299DF77BB3518EE2C05E4,SHA256=C1C3CA386DA5F1F56CAFA0300CDDC471DB1CDCD1703BEB6408E0019C66D59EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:58.871{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9593831FD644B106C59568C06D613F3A,SHA256=5DF6944B6CB389E0CF606E14AFFC628CAB38CC380FBD1C0DA740A9CD260D4105,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394387Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:57.293{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53668-false10.0.1.12-8000- 23542300x8000000000000000394386Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:58.156{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3306EAD97A09A67E68E0CB220D0B0F,SHA256=3A98777108D8C6878DF0BF0B64D6A13C3E3230A9CF531DBFD78E5B4B8FADD023,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.954{D694AEB8-03F3-60E3-7C0A-00000000D301}48765824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.923{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF12BFBF198266F39CACC5E6154F9F2,SHA256=3FEA1764D9074804B58718A01F7DD02697E6BBB26A29CCA60E6C76825101FFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394388Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:06:59.156{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6036B4B1751F6B1641A0B601726E749,SHA256=A49EC3BC3FA4DD598A7488770A8CD8DDDA6058CA69CBA0DF1044ED5B7481BEA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.790{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03F3-60E3-7C0A-00000000D301}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.789{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.789{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.788{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.788{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.788{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-03F3-60E3-7C0A-00000000D301}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.788{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03F3-60E3-7C0A-00000000D301}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.786{D694AEB8-03F3-60E3-7C0A-00000000D301}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001449437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.123{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03F3-60E3-7B0A-00000000D301}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.123{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.123{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.123{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.123{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.123{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-03F3-60E3-7B0A-00000000D301}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.123{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03F3-60E3-7B0A-00000000D301}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:59.124{D694AEB8-03F3-60E3-7B0A-00000000D301}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:00.938{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D50A2A889A5FAAC80CB2380D7854D4D,SHA256=E0A65257B5E1B45FBDF62E85522273FE46F988DDBD0193ADA2BAA7608E2F0704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394389Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:00.234{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE2C9CF77DAC7B386A1BE0199DDB6AB,SHA256=C29A89361E6481DAB80E5CC2072650D98A2A74563CC5D349777A2BE8DC71F959,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:06:58.579{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001449457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:00.453{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03F4-60E3-7D0A-00000000D301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:00.453{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:00.453{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:00.453{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:00.453{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:00.453{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-03F4-60E3-7D0A-00000000D301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:00.453{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03F4-60E3-7D0A-00000000D301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:00.454{D694AEB8-03F4-60E3-7D0A-00000000D301}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:00.138{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBBDB9EEBEC76C740682866AC4C8915B,SHA256=293098D78D6B4FD01ADE24E3CD69AE4BA0B201E0D8CE62CF03556FC7141F174D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:00.138{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A72D7D7EFD4582A1991AA95BA5E7E84,SHA256=02C823FCBA940CDD746425D1EE480C3B86FD19EBE4CD09BE026B39F222F1F38B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:01.954{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BAB03EF4D6598C850D940C1FF54C96E,SHA256=1EC31B747A741F57E4108C36D92B68A85F65F5ADEEE21FB5F821CDCD3047CD52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394390Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:01.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4F6FE90CD5A0002E735DCA263F0696,SHA256=E4764024FBEA129009F5744517BB68D15BA131B956D5CC0488A4396481348821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:01.470{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBBDB9EEBEC76C740682866AC4C8915B,SHA256=293098D78D6B4FD01ADE24E3CD69AE4BA0B201E0D8CE62CF03556FC7141F174D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:02.969{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8019598FC4004EFB4B7EC77D31287A,SHA256=79C5D9AD661F086EEC3587DFF2ACE3C236C92FAFE38461443530C0A0D7AAD456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394391Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:02.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50DC5961092694358391F2EBB08C35EC,SHA256=2EC967A9AF558FA62DF3CB8EF53AB7EC3FC9502A0B815ADE7C2D7A40EC97302B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:02.906{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03F6-60E3-7E0A-00000000D301}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:02.906{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:02.906{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:02.906{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:02.906{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:02.906{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-03F6-60E3-7E0A-00000000D301}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:02.906{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03F6-60E3-7E0A-00000000D301}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:02.907{D694AEB8-03F6-60E3-7E0A-00000000D301}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394392Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:03.312{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39E68AA4515C84400023B91E15CAA6C,SHA256=008CBB7362B837F5EE250C504AA857939609DA1DD5C3E67BF26BC8AD69B453D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:03.921{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F2912C87D4B04E5FF5F8FCC8EDCEF67,SHA256=E996387101F2B0EB15D8407105DC7EA6989B68084973A9A145D8281132D194DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:03.721{D694AEB8-03F7-60E3-7F0A-00000000D301}5468680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:03.568{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03F7-60E3-7F0A-00000000D301}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:03.568{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:03.568{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:03.568{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:03.568{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:03.568{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-03F7-60E3-7F0A-00000000D301}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:03.568{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03F7-60E3-7F0A-00000000D301}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:03.569{D694AEB8-03F7-60E3-7F0A-00000000D301}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001449471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:03.053{D694AEB8-03F6-60E3-7E0A-00000000D301}42766296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394393Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:04.328{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8260914C7E2B7FB69882056305E88D55,SHA256=F2C226BD469052E08956C8F7BC69F45C653F9E2CE27B135CEB0050BECBF3B07D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449498Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.936{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03F8-60E3-810A-00000000D301}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449497Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.936{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449496Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.936{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449495Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.936{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449494Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.936{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449493Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.936{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-03F8-60E3-810A-00000000D301}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449492Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.936{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03F8-60E3-810A-00000000D301}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449491Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.936{D694AEB8-03F8-60E3-810A-00000000D301}6508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001449490Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.252{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-03F8-60E3-800A-00000000D301}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449489Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.252{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449488Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.252{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449487Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.252{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449486Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.252{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449485Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.252{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-03F8-60E3-800A-00000000D301}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449484Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.252{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-03F8-60E3-800A-00000000D301}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.253{D694AEB8-03F8-60E3-800A-00000000D301}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.152{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B889A07E380FD3D2272615C13D36B0E9,SHA256=CFB36F8276377E750303E4AF65D6FB735DBCB77A1F7D98ADD4EE55C76BF77379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394395Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:05.390{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D704C853D1C3AFB76258719A20A7E3E6,SHA256=82C58C4F06CA79D27C3752663549003B50FEF49D2D0CF31BD4F2FA52589E7BE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449503Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:03.109{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54272-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001449502Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:03.109{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54272-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001449501Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:05.266{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FA8F42C0B9F5CECBE9497F9EDCE0357,SHA256=D81C238B19ACBC466527D02A7128AA77C604A1D8EA70DC3D9EE83C669DAC04B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449500Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:05.167{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E788FC0EEABC7B3C153AB572664456C6,SHA256=39E8D204ABE36CCEF87A0F1A4169D6B619300B0226E7C2A690B4D7011B8203CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394394Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:03.293{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53669-false10.0.1.12-8000- 10341000x80000000000000001449499Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:05.104{D694AEB8-03F8-60E3-810A-00000000D301}65083524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394396Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:06.392{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4073641F3F7A87BB1C4519807A53399C,SHA256=25EBBAF10A979E5FE35BA02B1DB840D5B994FB17308D56766F1C0C32292B5620,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449505Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:04.607{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54273-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449504Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:06.185{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A49306CDDF78229094F1AC4CECA619F8,SHA256=AA2682E525607091BDDCB269CD01F212ADDD9BC0387173A613A64BF4D73864E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394397Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:07.404{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877477E7DA537D2D6A1E8A7BE985DFC9,SHA256=835405BF301C28CF3375D1D2AEC3A17ACDA37B93804AD53BE46A2E75FD402B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449506Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:07.187{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9EE8E4EA0009FAB1E4FE629D3173A6D,SHA256=C02BFF923B8EEAE3D7266F475FCD95821A2D8DBFDFB43459BD98FAFAC6185535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394398Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:08.406{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205C693050194C656AAB08CBF95EF03E,SHA256=5F4F2F0E943992F198DD74E59D46225F7FC5D858C872BA92263A5185C25BA86A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449507Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:08.203{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE20F2E223C881AB275A678CA7FB3A8C,SHA256=55C28376B375B238501BCACFA08F677D2E6E0591D421DD68EA86D3FF653894C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394399Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:09.406{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4056E1C8CCAAACE16AE287C4A98BA4,SHA256=5A201EFE8EE7601713466C4EC5D8568F165A8BE9242674F67814DB1EE38BEAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449508Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:09.218{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3596D8B09CD08DA71E342D0BBEA88BD5,SHA256=2CE44AD2CDF8122083C3FBEDFE6621D9A8616B02BB157D58E7D9774EEA1A9831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394400Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:10.406{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9EF1CB69C236A897F5D370DFAEA1148,SHA256=D33E060A623897429A307D6B4BC1A44E72F95FC64A4C248C47130E306F6796ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449509Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:10.233{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA9F7D435B6291229196B36CEFB08A8,SHA256=C79BD4D1E96EEAA049C764A021EA8A15E7CF10893211AD4B62D5DEF0116013F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394402Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:11.406{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEB3DBFD249D67F1F705443BAC8A7FC,SHA256=C823C948C9C1D24BA1E6FE9A33C7EA9E43C57D7F899C6BE24A4A28460119C68A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449511Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:09.620{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54274-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449510Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:11.248{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6E0B20BB31AF879278D7CA0330FC48,SHA256=F0FEA04623D315BBB269B5696EBF45E56F82D84C944DAF18CD4DE2AD379B73E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394401Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:09.293{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53670-false10.0.1.12-8000- 23542300x8000000000000000394403Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:12.406{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502BEAFBAAFAB861F118AB81722951C2,SHA256=ED1747149D491D132FC4AC3EFA357B7B18519AB37A415904335494269A3C4E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449512Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:12.262{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D17B3317B83C06367E2125E829782AD,SHA256=7D79EC4735E9D9BEF1F5CCEDAC699C05FC6C9137AED3DA667DF399B658AF9410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394404Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:13.406{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1757AC18A43641B71355A585BDADAF,SHA256=684440294D2BDCEACBB3350477E72BC8A0692511464397CC3D58E4C0443743D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449513Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:13.262{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4098E1DAF52990DB6DFCD402DB105BA,SHA256=7A2C7DF525DF2E72B29A8671DA7A34B11B147AD6D81CA46FDC68F973AE3E2989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394405Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:14.453{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8618063F8DB0E178015043EB8C93FD,SHA256=1049F945344FEF7E4C21F21EE309BEF5E094482BF34345C4430C45836F2A7922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449515Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:14.545{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=EAA9C82A1D0147CFEEBFF18DF95DC695,SHA256=8A40A1D0FF9FAD15A3CBC0D1FC6E7CD4104F2B4C760C3FCBDA4385C8A7E6DDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449514Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:14.279{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7120DD008AEC698DD29020B4370A0B34,SHA256=1D1C3B5387BA62CF75034D46AB2CBB6E81412A5CBAF7F5B89D1E3CA67795CFF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449516Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:15.297{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7A9A25B27B496DFE4A116AC7445F39,SHA256=301591A8EF4D6C91301A97B1494A670D40E4101F790806952C14FDE39965FCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394406Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:15.468{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FD2E0336F011D71D708CEECACBD5DF,SHA256=A489B0EFEB405C7A866FC7BB5D8A669B4D284CFF0FA2431B221423DBA6261EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394408Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:16.531{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CE56B1930FF0FAAC0618F685B395D8,SHA256=4F052DCE861E8180EFD517DCD1FD34444359A884C09F3CA41D174BDB26B4242D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449517Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:16.312{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D6AB8EC5E65A8309052D5BBD04BE7A,SHA256=7091AADF507DC50CB621628E25461AFDDB9ADA2C6FD9BCD0E473EA9545ACE23E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394407Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:14.294{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53671-false10.0.1.12-8000- 23542300x8000000000000000394409Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:17.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F516EF0C566DA71B3D549F4FD001A3,SHA256=89B2CF2A4990B2EE81E9CAF073C8DC20E07476D9527B0FA1F0B20440B004931C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449519Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:15.615{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54275-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449518Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:17.327{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712018E6057282984BD67E61DA207D4A,SHA256=C3B8AA60C624549340719A8CEC255F3CB74754FAE5E5B088CC5729D7267FD22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394410Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:18.688{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF7EEFFCE87BD10DFB1DC59AB53234C,SHA256=468A7B2D86483C189092C6EA502E062893A285F2F15330623A5CA88A59C9FB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449520Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:18.342{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8C0717E5026AE3ADCF065509DF876D,SHA256=947DC24CC3064FD1357684E1254852852956693BFF132B8F129FBF6F5575A6CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394411Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:19.765{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0464A3C9E57B65A2F1306C235B43EB7,SHA256=974DFE1D8D99E0F43BDDF21AF78FA5A17F47BC8FD24D610F2435CA6ECEA2872D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449521Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:19.356{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0CEA54313BE0FAB0207E9B559A5C60,SHA256=DC4A53FDC67609912DBB9B37D6A1BFBD99DB4FD6CC6F8BC3DF7A0A121CA5AA6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394412Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:20.796{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3973D96E4822D45068E5D15D07F5ABC7,SHA256=28CC2803D9A2EB0285E9C0FCC2C9E4499E990CCC5C189564DC503DCD54A59B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449522Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:20.373{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31A63FDD46D9D03C66F5DBC4100E3CE,SHA256=47063AFB77A2184780769315359F88270819EF21B5B848189F7B2EC6EF30FD10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394413Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:21.812{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4B055159A07691A8DC873E78B0FF0D,SHA256=91BD383200AFF286B5259584D5D62E21BA8FD32F161082F0D56F3DCC862F5E6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449524Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:21.740{D694AEB8-B3EA-60E2-0D00-00000000D301}9166928C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449523Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:21.393{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F29ED413226DA4229D67D3A222EF2AF,SHA256=763B1D7A798204973B72C6BD55B03957B01469DEB91B59BE62FF8AFEFA20B01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394414Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:22.937{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79B5C7C862BA2FF148ED39971A6D834,SHA256=4D83C1A0C179F1D3A7AE80FFACC3DBFD5919AB331634A49BD001D4AD59982A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449525Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:22.408{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1115D866BD0F19E9AC1C10C49EA7C053,SHA256=FF43CA3F8EE2F76E48E92E06AB54A38610757FE2BA5F7C566F21956D6398BCAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394416Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:23.953{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD5FAD4B60A7A59DA618387BCCC84C5,SHA256=4F1E87397C64822E2BB6F0E86E67C2E45A1BD573F13A8B648F393D80A4B38520,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449527Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:21.627{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54276-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449526Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:23.422{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9F9A5E26BB8EAEAC047C9229066550,SHA256=B9887447D4271C1CFDB2E9E0BCC24EE60DBBD3B627304BEBA43F36314E4163D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394415Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:20.309{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53672-false10.0.1.12-8000- 23542300x8000000000000000394417Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:24.953{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449C06D4954CD2B45461BDFD429FA6BA,SHA256=A194CA51F593B8156BDA0E849FB568E1E1F0BCC457AD7BE3D58E32B9CAF3C1E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449528Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:24.437{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3656E1551C50705A1FB3BEA992AD9AB6,SHA256=78BA481A7F41015D342AE461199AAD05955049863ED48EED4D6715808080564D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394418Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:25.984{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05C5D9966BA50EE76A6F20C9DAF46AC,SHA256=146393E74FA21CB5ABB67BC28AC9354394E0A24C13361D6B48727357E73B75F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449529Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:25.451{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEB45715DA0B02574C295EA8E3EBB5C,SHA256=D5AF18A96DDAA9A4225A3A3DC7813435FE2D54233F23296E9D51323F698EE5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449530Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:26.468{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9273123AA0E521CC27C2B80C0C7920,SHA256=55F512A2F4A57D3E135E6A93BFFB06B404ED0814EC13839D52C925A945E6CEBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394419Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:26.219{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=89579BE508CA6DFD6E203A73FC18ADFD,SHA256=93BA3094B088B11E6C65901E3F5A884FADD5EB5CE6C82DC02B86202FB6D0C05B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449531Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:27.502{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE58867986406629FC772EE20509C3C0,SHA256=FB60E5E089B606A94CDC82DC8B8E27F2AED6F9F98D435BF115CCD5C263307C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394420Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:27.000{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85521E6FF541D6FE9555E7BD466637CF,SHA256=DD4285BFCE56F6E065C23B0D91EFB9C10F6976826B0776183B964F653497BFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449532Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:28.532{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17869F54D1B9AE4FB5FC6031327D810E,SHA256=A90EC848E8639405A1C2BA202C617A6118DB77FD40663C5A48FBF2442439DDF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394425Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:28.218{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394424Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:28.218{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394423Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:28.218{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000394422Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:26.246{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53673-false10.0.1.12-8000- 23542300x8000000000000000394421Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:28.000{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FED114B5227157EFAD2B5693B042DA,SHA256=EE6CA6612922DB2EA0B3E3418826A01AFDA976F1C6F7B228434B03F0B649360E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449533Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:29.564{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D657D03C43981BBD5B3DF7A17478C2FF,SHA256=3902A4DF4C8F4E07A0AE14067A0B56812F82136C9ED4A2EF8D98A53AF59F6827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394426Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:29.000{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E732221D014727B6DB909C9A590EB68,SHA256=FD49545C429CA147E2ABF0DAF6B955760B20924686BAFF1BDC3ED303EA5AEB51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449536Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:30.583{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F6F6B7B36978F82ADA3F032DABB5E5,SHA256=FA83AC916038CCB2FF9AE462FFF41B99BB36CD3BB5FFC1A2B6F2F99F20456A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394428Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:30.734{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394427Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:30.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011A4ED881F80416131212B3F0E612DF,SHA256=9FE81936AA6F90B1B47E918BB59FE2A83D82B9B71736C062BC18295A5EA1947F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449535Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:27.619{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54277-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449534Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:29.999{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449537Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:31.597{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF6D9137337B4E31BB9D2FB1E2289B5,SHA256=53B6820AD2EB18C4A84B3AFC74B65AFB70560F50216E5408F2260B22DBA2D27F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394429Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:31.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE35246FFE214128DBF41C4028325CE,SHA256=80006F070692A8AB15DE143CB3D643073A150B9934A5D64834D12C3E32AD97E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449539Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:32.627{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69D2AA49ED1575D24127BA386668316,SHA256=B5C0184095A2209BD186019C92906108E97A49E88E70093F4DC3A103D932F0A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394431Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:30.918{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53674-false10.0.1.12-8089- 23542300x8000000000000000394430Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:32.046{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171DB66C199EB53C038198E6891EF6D6,SHA256=2ED89473758DA0C45E6ABD08E11DBA303650CC037C0585D00FA6B22B3A297077,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449538Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:29.439{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001449541Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:33.778{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CBE3EA91002E1A1E0992E144F5ED2BE2,SHA256=6E1FA24ADA6AE8D1052383D91781EE1ACCBCADF2DE24BAEC9EE9326BD9947FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449540Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:33.641{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1F6DF86A14801A8A54DB71C02887EE,SHA256=52D40A382F7A0AB0905275D30A6E9CB0015BD55145CA23AE3511C92070DB5688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394432Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:33.046{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD7729A572D5C97436B2DE43FD1C538,SHA256=955333696CEF5CDFF69AAC1EFA26E48A4100FBE2DC4631C3A8626484C181CFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449542Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:34.662{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1DF5C2728E20398CEEB9AAF001E9E0,SHA256=27F8653A5D480C92F8E6371C051142C7E354FF5C3A7AE737D263CBDA9723EE2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394447Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.687{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0416-60E3-F109-00000000D401}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394446Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.687{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394445Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.687{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394444Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.687{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394443Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.687{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394442Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.687{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394441Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.687{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394440Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.687{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394439Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.687{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394438Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.687{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394437Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.687{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0416-60E3-F109-00000000D401}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394436Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.687{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0416-60E3-F109-00000000D401}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394435Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.688{7F1C7D0B-0416-60E3-F109-00000000D401}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000394434Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:32.278{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53675-false10.0.1.12-8000- 23542300x8000000000000000394433Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:34.062{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0268824063630DDB599AE59D0A3F46,SHA256=C96F1AE5C8316F6469B652914032FDF48C5BAAE81599BC14F173A03D0756FF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449543Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:35.676{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F28D203B9DE0EB903B736970731ECD6,SHA256=426D9E835E4D4BAB784012014B056D59F7327323115587DFD6E34E8D69DDDD15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394477Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.734{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0417-60E3-F309-00000000D401}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394476Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.734{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394475Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.734{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394474Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.734{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394473Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.734{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394472Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.734{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394471Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.734{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394470Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.734{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394469Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.734{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394468Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.734{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394467Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.734{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0417-60E3-F309-00000000D401}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394466Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.734{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0417-60E3-F309-00000000D401}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394465Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.735{7F1C7D0B-0417-60E3-F309-00000000D401}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394464Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.703{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A2A6DAD999FA976FD0B0EFC723D7347,SHA256=603903E546F503186CF00030000C0AB87FD453E570FD16B58BE15184021DE204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394463Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.703{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2665AE051FB50E1B7B6D4BC8EBE760A,SHA256=9B371B6C29AFACF3A5C1B7C06DF723D277C47E2122C9217269A4198D0DE6D4EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394462Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.375{7F1C7D0B-0417-60E3-F209-00000000D401}3196972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394461Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.187{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0417-60E3-F209-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394460Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394459Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394458Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394457Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394456Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394455Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394454Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394453Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394452Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.187{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394451Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.187{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0417-60E3-F209-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394450Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.187{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0417-60E3-F209-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394449Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.188{7F1C7D0B-0417-60E3-F209-00000000D401}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394448Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:35.062{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8664BBDA6373569ABF2086AB0E2316C,SHA256=AF6D9B743EC0EB3E3923B41863E558288AB9CD724AB12067BE38F874307FBBFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449545Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:36.691{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF676CACE7E68DEA59F9816B4074FB71,SHA256=EAC1354C3023CE8A151C1D10FCBA1DABD6A33397B437FB53D5F477807E3BDF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394479Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:36.734{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A2A6DAD999FA976FD0B0EFC723D7347,SHA256=603903E546F503186CF00030000C0AB87FD453E570FD16B58BE15184021DE204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394478Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:36.218{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356F050BC1877C445341AF0A48D7181E,SHA256=947FE76A6E8D52DDEF8FFE17C1E3BA8FE5F2042D177CC50A9CD7AACFB3170DA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449544Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:33.649{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449546Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:37.721{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312694BCB4FB5F0247C0FB6CA9DEBC67,SHA256=90B8128E1C9433334483CC4E3432482E48F78F516D7A955EED1A60DA565AE14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394480Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:37.218{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEC7D91B9B76CED9E7EC2A39B03B3F0,SHA256=8A6AC5C893981D92B77DE7EDCB3BEFA81C4E4787A131C2DD056558EDCE2DDDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449547Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:38.754{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30E94CF6F696FCF38628E6C97462C30,SHA256=495288AE000276376DF92D9D9DB63E1785B3FF97357F093B862E52D1A8C59EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394481Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:38.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256DC9442FC747ACABA00370B49B479F,SHA256=21A361C7AE1A9E7FE13E8E8B84EADD8230A0EF88BE31232C8ECE1B40B30C9453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449548Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:39.772{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C7FAB6CEABC33E85E4AFD1166AEF9C,SHA256=2928B04225D78200A1BC4F3374D495DE6CF47157F7FB2CE8196663AED291B771,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394510Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.781{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-041B-60E3-F509-00000000D401}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394509Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394508Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394507Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394506Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394505Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394504Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394503Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394502Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394501Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394500Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.781{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-041B-60E3-F509-00000000D401}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394499Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.781{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-041B-60E3-F509-00000000D401}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394498Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.782{7F1C7D0B-041B-60E3-F509-00000000D401}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394497Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.531{7F1C7D0B-041B-60E3-F409-00000000D401}33722500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000394496Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:37.293{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53676-false10.0.1.12-8000- 10341000x8000000000000000394495Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.281{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-041B-60E3-F409-00000000D401}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394494Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394493Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394492Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394491Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394490Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394489Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394488Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394487Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394486Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.281{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-041B-60E3-F409-00000000D401}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394485Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394484Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.281{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-041B-60E3-F409-00000000D401}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394483Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.282{7F1C7D0B-041B-60E3-F409-00000000D401}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394482Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:39.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD50545E4608BC55F921785F5906C816,SHA256=FB40941E4102848391C96B7481E8B21C160A6D7112D19EB0EA04783E560FEFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449549Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:40.786{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381DE889E919AE806AFD4566D4F0978B,SHA256=9E770E78508EB2339D043EB303D433B554C2A019C3E62415B873F535C299438C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394540Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.953{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-041C-60E3-F709-00000000D401}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394539Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394538Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394537Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394536Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394535Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394534Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394533Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394532Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394531Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394530Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.953{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-041C-60E3-F709-00000000D401}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394529Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.953{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-041C-60E3-F709-00000000D401}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394528Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.954{7F1C7D0B-041C-60E3-F709-00000000D401}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394527Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.468{7F1C7D0B-041C-60E3-F609-00000000D401}32043656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394526Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.390{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBC1E800647FDD300E22B3FCEC25F7E,SHA256=CE968257CD9A73247E6C75948A3E0EAF0FA5F408A4F555A852ABB074CBFA9261,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394525Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.281{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-041C-60E3-F609-00000000D401}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394524Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57A56DD5070A07F838221A7E114CA8F3,SHA256=0F7C6819E931199FF46501EACF4F4A9417B1298B3AF83B02562E3341FA58D217,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394523Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394522Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394521Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394520Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394519Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394518Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394517Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394516Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394515Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394514Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.281{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-041C-60E3-F609-00000000D401}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394513Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.281{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-041C-60E3-F609-00000000D401}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394512Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.282{7F1C7D0B-041C-60E3-F609-00000000D401}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394511Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:40.015{7F1C7D0B-041B-60E3-F509-00000000D401}18203756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449551Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:41.801{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015AF41765EC6E733E0D7EE97D091D72,SHA256=9DE5996020B9AB4828C64D9265E4008B96E4970F8874AFDE836FA3C1652742E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394542Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:41.515{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=840AD209BD841E9774C1D7C89CFCE102,SHA256=D9FD1D45128EB551662655426CF434B28625AC8FA945903543099F0EB5A9288B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394541Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:41.390{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E13601FB1D5769E3C470A3B8F961339,SHA256=9414E48DA0EF32F1DDAFC3EFEDDD424639D24A0CF9283D6542F8C498EB967F0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449550Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:39.505{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54280-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449552Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:42.815{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CBDAC3E9414AB131CAF61201C52DECE,SHA256=1CCF46E5996FFF8679219741849AA25E3B079AE5F8576865D9038A6313B8242A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394543Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:42.390{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840CDDA883D580993B459251D8145C92,SHA256=E9BD86E00E1DA7267292A858589D4FBEABD47BE6C6C62B1F8D1DAB6CF3774509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449553Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:43.848{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2FC208FE3D47E8C09B27749E15AE1C,SHA256=58115EB8F9DB3144C953EF189458088E4C557B97623CF301D19534BBFCD2C6CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394545Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:42.372{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53677-false10.0.1.12-8000- 23542300x8000000000000000394544Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:43.406{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA9C7B002BF2D802DC5ED39D2C79C64,SHA256=3167E2536E3C57179171DAA8DFCE7EB61F032D6A45FF93A58589819B1C4039B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449557Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:44.929{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E557991EC8922E85C0BF970E8C2ED4,SHA256=A3155676EDFA4BE2B1AA6586E4533D974BDBAF4ED25E032B2A360EC74E86379F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394546Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:44.406{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9429F4688E1BA1E2B94250EC0CCE15FB,SHA256=9F6F6AD07F692047CCD5E9B951C777F6C841F4F59B065ECD505A91F025BAA520,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449556Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:44.130{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001449555Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:44.130{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449554Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:44.130{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF13967b0.TMPMD5=7CC92A355EA66A219E3148903E63F654,SHA256=CDE288AC5D74287BFA2D9257B236405535586530C59E6CD093A4AD9FE7326A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449560Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:45.947{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F00E721BC033C2D9221DEB33B6935D,SHA256=851816E09DA18DE8C7B55DDACCCBE3D269456E456F5A3C58A956CE2DB63933AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394549Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:44.314{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-62151-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000394548Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:45.468{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54B0982D21E17D228BB05CD526335C7,SHA256=A6C684326AEF160DACC8F209BC3158A1A84F9959EFA959C4AF331FD05027DCB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449559Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:45.098{D694AEB8-B3EA-60E2-0D00-00000000D301}9166928C:\Windows\system32\svchost.exe{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449558Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:45.098{D694AEB8-B3EA-60E2-0D00-00000000D301}9166928C:\Windows\system32\svchost.exe{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394547Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:45.421{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E49BA05FA7121AB4A2A1F7499DF32CA2,SHA256=02AA015948876D27671014DB5BD04C35C1662A73EB00F9DF806C127D954F4491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449561Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:46.964{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB215A4D3BD9796E5BF8C39F8C17E612,SHA256=5AC2F1F8B5591E77DFD9338D1FB2A8CCD826DF3FD54E33E033F9C4E6C8C39408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394550Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:46.562{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52734A06EF3074F0E87BB5D8CB2F17DC,SHA256=CC35D203433E06758A06BB588FA624B1B06A097784E5F21459D90B12863BD5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449563Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:47.979{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0454A56309410F2D09D2F6A21A914A,SHA256=30C1AA5A0EC2AE9AF2AD3CFF2DD9D919243442D37DF7A22D913106B3E60D89B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394551Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:47.593{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0198FE597AFA5B838A1AB506EE11B7C,SHA256=4B34762055B5714D86F4889A9C06A0032EB657DF59CE9A0666DB47E6269F80D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449562Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:45.521{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54281-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000394552Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:48.625{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CA1F3CAC75D5661BA4C1683476995F,SHA256=846AE4870C734F4171EC0D596C5FD130DD6DA2C0C210CAD3360A09FA9782A2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394553Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:49.672{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D51E25C3906059239537333AD1F2BA6,SHA256=E70E0A9046F2B9E518B22657BBF9F3C254BEB9629D772FFF75F5D899F3B7F1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449564Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:49.009{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FD7813956569B6BFD32BD4752361DB,SHA256=5FF73DA58C8EF778B798B5ECB078E1D9093ADFC7B607663C88B460EDECC42294,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394555Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:48.387{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53678-false10.0.1.12-8000- 23542300x8000000000000000394554Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:50.687{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD361FB68BA76E1286676EA5D13244F,SHA256=69CADA26BC64C777C42C9FF5169920FA520B99140E994BC45CB456FFF20D00A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449568Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:50.376{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449567Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:50.376{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449566Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:50.376{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449565Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:50.041{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34B0026DB4173FBFCAC6B7E8A709D3F,SHA256=F818953C723C60A2AB8D615E4F27A00652ED88B27CBFAD8FCB3CB8F2B9534F93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394556Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:51.718{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698719DAC07FE9DE608897DF32D2FC1E,SHA256=8D3C81442CD666FC0B0617A55FA6D7D88B9405C4FC3D1CF798D3BB7397AF5D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449569Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:51.059{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097BDCD0392C2008067B35599CB18398,SHA256=A4FC1B59F4FF01351F3A92154F4131C6F5A7A3FAD627EAB960CEF826685193ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394557Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:52.750{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFBBA2CB75CEEEF8D08BCB8599567766,SHA256=518F3BAE5021C01A669143EDA98033790C29F5C997C9DFD3690B2B666E8959CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449570Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:52.074{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B475116168ED1A95FF6132DC8F479B3F,SHA256=A452E3F250D25B1CB33CDD96F63D66D150CC6D939E1433A4C3F99C22265C25E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394558Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:53.750{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57B2118109E02D7D434EAD51BD01D4C,SHA256=E1A0193F2DFBA9CF1DA3C9AD64EF52858A002B58AB48208C678FB3F82732DC13,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449572Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:51.530{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449571Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:53.105{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587CC7068FA9B61ED6DBD7C5CD3A6E74,SHA256=8D99221B1210501F3D53B940C86AA820C2BD2EBD165ABEF427EBF79551E21F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394559Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:54.765{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC40ACF40A957A8EDFE24FAEEC4EE713,SHA256=77385854AF8753469C564E9D755755EA56B03FE814D8A5186497A76EF01C6935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449573Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:54.119{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8F8151C50C32A42FFAF742DE5A5E57,SHA256=6711D33A05EF29AE8B1A0EB86D81CA0C214FC5A742BD018174AB4DCBCCF9112F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394560Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:55.796{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DE84BB361A423E4CA12B412BD3A695,SHA256=55A039C9B3AFFE3E962BA7A6850575F4C864B875374FDB47014536C8EE60F843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449574Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:55.137{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE4A7034EC82B514562BB0A747398DF,SHA256=F6412590CFBFAD8358BE69CF0B1627ED2B60D494B9D72B68B94076999F860E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394562Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:56.796{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE9E1F7B015E868EA7A129CE76758EC,SHA256=522BE914E5FBD8712F8D51D5E994B523FE695AAABF2E35C23D7061FB5FF0E913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449575Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:56.155{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67213504E881BA14C60A159244893F01,SHA256=277DD4470AB347FAA637B2BD345F67FD831C328E3AEC12E2A03A18C3072A3950,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394561Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:54.356{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53679-false10.0.1.12-8000- 23542300x8000000000000000394563Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:57.796{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C24586C0C4575B1E6882B3F5C0102FB,SHA256=FCB6D6E544A451D1C92738E614BF78D3C999F0D03FFC27A3F5E7AE17CE8FCB53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449576Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:57.201{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E1041D808BE2B4B06D60EF26D82DE4,SHA256=9FC24E196CC345C7D502A68C8DA494984EEB29F496883AD98F6F528E96134C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394564Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:58.797{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3734A643D0B3674DF4E58F8B233CBD03,SHA256=9C359C8AD9E2396E13C6BEB9A9B4C8478B4BF8E43BA7E939BA92C8894E68BCF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449578Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:56.541{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449577Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:58.234{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE55EC695C64519A871603691371D22,SHA256=7865D7C7807DEB555FF5D5D9EF73FCAEC86A5D180AF3A57705A311194D13E3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394565Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:07:59.828{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE3884875BACEB1C0CE6871DB95EF05,SHA256=68CFFEB05CF45547CAFC241C0FD46BE1CADB06A9AC3890BA424151806A14C6C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449596Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.967{D694AEB8-042F-60E3-830A-00000000D301}12521200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449595Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.814{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-042F-60E3-830A-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449594Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.814{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449593Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.814{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449592Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.814{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449591Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.814{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449590Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.814{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-042F-60E3-830A-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449589Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.814{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-042F-60E3-830A-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449588Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.815{D694AEB8-042F-60E3-830A-00000000D301}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449587Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.252{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A350254208E0762E270FF18FD7B6A8FC,SHA256=201377039509BD6D67A03F7088FD3FCD4B0DA54994E38FF809E8BC87598E6A89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449586Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.135{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-042F-60E3-820A-00000000D301}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449585Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.134{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449584Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.134{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449583Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.134{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449582Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.133{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449581Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.132{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-042F-60E3-820A-00000000D301}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449580Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.132{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-042F-60E3-820A-00000000D301}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449579Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:07:59.131{D694AEB8-042F-60E3-820A-00000000D301}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394566Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:00.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941AE44B27A5A96B8E114587FA2A3F47,SHA256=13707797A5A8EC27DF13CB1695107BE602A303CE23002D7135FD88ADF0E02CE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449607Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:00.497{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0430-60E3-840A-00000000D301}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449606Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:00.497{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449605Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:00.497{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449604Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:00.497{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449603Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:00.497{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449602Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:00.497{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0430-60E3-840A-00000000D301}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449601Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:00.497{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0430-60E3-840A-00000000D301}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449600Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:00.498{D694AEB8-0430-60E3-840A-00000000D301}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449599Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:00.266{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CFE561AB3974B9FFC209445DAC6DFB,SHA256=27F71345231D6364022909E77A24C9FF1F20E49A41F18C81B0F44C63B6C5518C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449598Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:00.166{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA57BFF349ECA410A94C24F0C010B51F,SHA256=BE51F2C621582C3ABBB31B5C6A063FEAA40AC3754A51417CAD4FA85A47E9D04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449597Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:00.166{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55CB12C0FA4D657B50C8360A958E32C3,SHA256=1A6408B22E142663DD45AA4678EF02C4548CC5631E5F79B5EE29E9685C4B83D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394568Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:01.859{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5D0583C892F4CB042ED6E548FCD03C,SHA256=CBFA26BCEBD87BAE19ACA13F7C42A2377E7D8A162BA38A21FA0EFD959FF3AB9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449609Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:01.597{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA57BFF349ECA410A94C24F0C010B51F,SHA256=BE51F2C621582C3ABBB31B5C6A063FEAA40AC3754A51417CAD4FA85A47E9D04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449608Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:01.297{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1ECB1CFE79493489100C46F048414C,SHA256=FF0AAF874FE436FA791D6443EC449DAF77EDBC60DE51D25E55D87811015EC603,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394567Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:00.372{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53680-false10.0.1.12-8000- 23542300x8000000000000000394569Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:02.859{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87DCBC24F58A6AED9C56EEE67C7B990,SHA256=33F776B2ED23D6D148EEF016CD3F78570B5AAD08C76CC3E71B0C60BB871E69B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449618Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:02.911{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0432-60E3-850A-00000000D301}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449617Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:02.911{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449616Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:02.911{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449615Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:02.911{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449614Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:02.911{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449613Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:02.911{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0432-60E3-850A-00000000D301}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449612Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:02.911{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0432-60E3-850A-00000000D301}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449611Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:02.912{D694AEB8-0432-60E3-850A-00000000D301}6476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449610Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:02.330{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EAD0489118883AA27FF56F67E37E539,SHA256=72DAE4D8D18AC5FEBB09D873315D35FA8FCB195CD526FC10994D45E99B93F7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394570Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:03.859{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1015EB054F4DAACE6024A8CC6FD84A,SHA256=EDF775222860E8C35B0EBE37DDAD21F4DE43FF46DFB26CD56D1D47EE21750908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449630Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.931{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=021F6699F8231A2684053F74B8BB8C7A,SHA256=55374399177E6D351533711189F67A09AF4B5FB8E57CCD0F3DC8BF56E5CDF2BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449629Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.627{D694AEB8-0433-60E3-860A-00000000D301}17644436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449628Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.464{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0433-60E3-860A-00000000D301}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449627Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.464{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449626Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.464{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449625Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.464{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449624Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.464{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449623Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.464{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0433-60E3-860A-00000000D301}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449622Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.464{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0433-60E3-860A-00000000D301}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449621Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.466{D694AEB8-0433-60E3-860A-00000000D301}1764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449620Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.349{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57021A089D8434A4A98BD8BE23B08E7C,SHA256=B26468EDB872A3B5A2F1D45313682EB4970517A3D52AB65E800560BE535771BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449619Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.080{D694AEB8-0432-60E3-850A-00000000D301}64764444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394571Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:04.859{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A65F2E2F25BEFD08C84AB835F484D5,SHA256=57FB7DBA6EE85766052688E536D1F38080EB91232EA69B6DC6721B835E94FBC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449651Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.120{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54285-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001449650Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:03.120{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54285-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001449649Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:02.582{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001449648Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.910{D694AEB8-0434-60E3-880A-00000000D301}61045456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449647Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.748{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0434-60E3-880A-00000000D301}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449646Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.748{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449645Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.748{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449644Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.748{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449643Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.748{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449642Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.748{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0434-60E3-880A-00000000D301}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449641Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.748{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0434-60E3-880A-00000000D301}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449640Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.749{D694AEB8-0434-60E3-880A-00000000D301}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449639Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.364{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E932C6FB9AE6BFC27763DFC8369141D5,SHA256=E1F8AF596E3765496E126D0E75C54686CE675F449920BA32CA3381113959382E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449638Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.064{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0434-60E3-870A-00000000D301}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449637Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.064{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449636Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.064{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449635Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.064{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449634Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.064{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449633Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.064{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0434-60E3-870A-00000000D301}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449632Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.064{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0434-60E3-870A-00000000D301}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449631Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:04.065{D694AEB8-0434-60E3-870A-00000000D301}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394572Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:05.875{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D48C4683479B53A591DAD587AAFE99,SHA256=6C5604DE56A009952A3F8BAD0A5C0A67BA7EB0E9382F35C0CE43A3BC8238EFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449653Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:05.379{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2128E72578EFF27E07341E3DAB713AA4,SHA256=5675A790025E9CCA9DBF7777AE29D8465318A2F6DC59A00FD5933DCCB4114313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449652Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:05.110{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2040A3CBD16C2F1F22B9F1B5BE9A4874,SHA256=24A797E6B3DBA4A0EA963C60EF9D485B54AF0EAE57DE59DC94B76B7BFD727585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394573Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:06.906{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945424197FD3BA50563007438CA73902,SHA256=E8CE4DF211E5CE0A102D925C2ED8F4D4D0E847A4EF981E481F17F54BA6C63AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449654Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:06.409{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC618FBC38E611AA948C90B1C4F1FB76,SHA256=4051C9FCF271648546B2E387650065DBB76B6264A5189662FE9FF078FDE22D4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394575Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:07.907{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4316E057569DAFEC267C5B1BB4F77D27,SHA256=C15B5F79AA32BAA8D1D1B75DCA4AD21E7E6EF7ADA0762DEDDEB3BF7A92C7C906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449655Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:07.426{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26878F4D7F70E205F7D77DF6EE034A71,SHA256=24BD9490250D0EA1A68642147E4BA5BBE8F5A31D1FC08F5A83854EB7BD6285FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394574Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:06.388{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53681-false10.0.1.12-8000- 23542300x8000000000000000394576Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:08.925{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E85BFA3FC0A00E2075B40CCD70A234,SHA256=2AF92A0F732C6AB096ED85DA667AFD3BF4910CA79BAD88EC7D99AFBCA5920D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449656Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:08.445{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FB2D71ED6DA37B4D67902295F41221,SHA256=2EB8E8F5632445BCFFE5AB6E7013EE6F1005385E1FB71F1077B9B662465D17EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394577Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:09.926{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501C3DF002D77752E969C612BB390975,SHA256=014890DD08E96EF54B53FE161A824D393836AFD8662610281FA14615E0CAFED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449657Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:09.460{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3438AACD0EC22A8B32E5C562AC9B24,SHA256=911317180D2C4168F153324FEE4412657BE5A4CC8AE993408A9806BFA8984261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394578Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:10.926{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5360B4751C1DC807B93D097A0BCDA224,SHA256=A4A03390B30F07FC04E82A52E3DD0A68499ADE8B1C7BD2386870473F081C58D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449658Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:10.474{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C6CCF8AAA74CEBAD887EB741B97A1C,SHA256=FA32652F69E4E1A8F047842E1C5E6E078363BC038C6A13771EDD0FBACFC481BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394579Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:11.926{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFFCBF69B2675776DACE7E6D26A299C,SHA256=3DB5DB5DBA89221A7411EF6E3090686C08C8E1067E0993141797F7E1FB75C8D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449660Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:11.523{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381605AAE7A9D5CAFDCC2FEF5CA2D05B,SHA256=3F95F20465794665B4525FD6742699D0FD8AB973683185052238654F00EB87DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449659Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:08.581{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000394580Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:12.926{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42776C4837D85DB72D2F508DF65D50B,SHA256=337740353A0FEAD0A449154763AFD5CB64D1388B3042BDB7A4878035EC664D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449661Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:12.557{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0488518ED6036DD07228D9994E48295A,SHA256=3553322C8F9030360CC6170D127C77A9DCE075E5EFAA9AE76C86123EACA11719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394581Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:13.942{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CC71D4022BA336AD98DA237C54DE74,SHA256=6679D6564364749AC47B3B58E122C1F2E0142C584FC31C1A89D6E55D3D464F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449662Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:13.572{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03CC7E1F8E220F9A79582DA89BED2A30,SHA256=81E6D162745F62E32B1BFCF9E0FA7F05420270229DE6F54DF81B03E4759ADAD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394583Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:14.942{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE3B3E5C9DA160DEBB78236DFEBD668,SHA256=9E8B4F5766604EC3566214B95D67B9CDA2D062EC1B3455E01A581DAD471BBC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449663Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:14.586{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C096ECEED063340D218D09E12E1AAB74,SHA256=9BDA8BEFE3596168B45FDF0CD120FBD5979AA4D896906210FB6DD554EABAAB6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394582Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:12.346{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53682-false10.0.1.12-8000- 23542300x8000000000000000394584Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:15.958{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8839DF1E08BCC90AA274D0DC10BC499,SHA256=AC8B1A36F666E958EFE8D6249B8912C9CB43A1E67A6B72419608F06C3FE7A9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449664Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:15.601{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09817F527841C90EA3614C7C07C55B4F,SHA256=8AEA0910C923019A6806E38EA8691A9D6587EC8579F05ADA06CECA4240B6006D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394585Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:16.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DA99D426C5AB2125B24DBF58034C85,SHA256=50542366877E5761CB92F49998D7314D1BBCBF3F18780A5FA9D69D2AB29A7665,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449666Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:14.576{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54287-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449665Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:16.617{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD6BFC52F8C2928C79A229CF8525808,SHA256=DB623D6AD95CD8A7F21CD620D4C013826CB1A5719299E9AC4A353E2DEC4A437D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394586Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:17.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97208D1E9A25CD25F4F8F9F95CAF2BA6,SHA256=8DE7739BED8629C0BDE13E9B6AEB19A4C787E7EE5C4496E05717782F86BACEFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449667Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:17.636{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D09AAE3EB4B40D45CA8695D32B27B1,SHA256=639874AA367B0B746CBB956DF0C6928F7CEC74D1AECEEA2A6B9E9C58E421E789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394587Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:18.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6556728DABD23E2F68DEE7D6A31AA3,SHA256=FB79EEF992FDA716B8F60E0BF0E64B7B6643BA7A96C6F4E6CEBD5CC88E4041A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449668Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:18.666{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D563001AF8D59050169089F838B9D347,SHA256=E29768C5F51660A19BC2A87A2A9A45E4AD13CC1CD519A06CCD5F2A5ACDF2EB51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394588Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:19.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FF51337919B36375BACED6FF9C9894,SHA256=3D50D9F973FC05D1172C8741160F6AE713C14741DC94637B663FCCD611C23591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449669Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:19.697{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E063C6598EA5CCFEB299E1A94D9D66,SHA256=B3DCB43D875C6AFB41C2262F591B149F70A1A00BCBD6FE8492903BB6234B13ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394590Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:20.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8BE57B00E0DA1D11AD98E8C7994F50A,SHA256=7C83F598344D7F4994B27A8BC4A569633E202B97E7446CE65429A1804ECC77DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449670Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:20.713{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E31A0C45DCFBD0EED69517A26A5E8F,SHA256=59475F28523390CE5F89871B0F62809413F1D1033EDC256D34882AD0B431D397,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394589Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:18.330{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53683-false10.0.1.12-8000- 23542300x8000000000000000394591Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:21.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80201AD733C281F777CFD2F67793C51E,SHA256=95339C7786C246FFE5954ABC3206766C1B993855DB19017887A00A4FAA8AC6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449671Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:21.731{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E2A7CE960507C1231F1DFC31916173,SHA256=CA0E1351ABCA916956846D9E79E159291E798C1F6022ADBB8C032F9FF039EA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394592Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:22.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DF50258161DD77D36FD69BCA65A5F5,SHA256=04D7C9E639BF7D2F0598A951B83A566CB8A7232F82D06089CC33054E8D8409B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449673Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:22.761{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FE4690502FD6FB0EE3B0BEDAEB3D61,SHA256=7D195062F239735AFCC2689B0BC3E71A826494EE9E25C7C2A37EDAAA00C5B29C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449672Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:20.588{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54288-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000394593Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:23.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022DD0230A3FF8A6B7E5F3CF114AF436,SHA256=9202BE7DCE2DEB2BD826B2ABBDD1783FAF99B2E82E2128594D93D0DEB9A017E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449674Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:23.776{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA9593C349AD50E93CBD2FB4A7A6F85,SHA256=916414FAAEB5CA5E6A2480C7FBE0DA3C7E5CFC6F9A6138E8C5A2BB5E1CC2A02C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449675Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:24.790{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B645EB511742C175E7498A5189DED0,SHA256=9B2D207FBC693F4A026797AD7021A1EAFFBF29758A99BE6B32D0072C05815F51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394595Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:24.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DF959FF4BF68A6503A4ED680FB5283,SHA256=8B08CDF4478771BDB89B2CE25A981E1143092FAE9EE8DD5378C3203361D03D4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394594Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:23.361{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53684-false10.0.1.12-8000- 23542300x8000000000000000394596Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:25.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E459F2ECF5986689BA2441AE3EA65E5,SHA256=AB83D91AE50A4987CD9C8889F5C18A96479D3416264DAB99DB3B85396D08F818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449676Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:25.808{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5C903AA86A67683C6D2D13B29605E1,SHA256=E720493B3A3B96B7A3A8CF666BCF139AD506AABDFED825FC3D1FB74F084DDFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394598Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:26.989{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC4147D5CD82693089A3578CFB72ABC,SHA256=A5D0D27CD1F55C04AB250958357EAE8311753F6669C0B142993BBF12D08A2CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449677Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:26.826{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A1E436E8AE4081A88B89809246C1AC,SHA256=5A959E9EAA118F6E67704A159652AFC25DCC6802826402E00141002AD64C2DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394597Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:26.223{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=72CACA592155F598A170048C333ACC4D,SHA256=E67332D137F899FB8E577B88BE8F7729182C27ED714F76F64D644C5B38881542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394599Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:27.989{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7F4B217A43FF7E5FF497357F388C73,SHA256=BF821DF6628781B7747FD387CD5B0C0742B5DDE73EB2FEF2785E33C7D27F13D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449678Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:27.840{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B535D365EEB9E6CAEFE02D30253F7BAA,SHA256=9E4CEE94DA2C8F77CA67A0BBC7566EBBB75D14CEA912C78AB6A4C93FD9084FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449680Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:28.855{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2676BE63C959523D5138603BB57E9E,SHA256=A6AFFD726D65B85D604387E60E9BC09F5060DDE619274E5E176D1D6AA13A8400,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449679Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:26.596{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449681Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:29.856{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9702C06729D5542FE5BD0F50A985DAD6,SHA256=669B0B2A5593BAF04BB92EF1212601685F0647AB3B33BEC2085736ACD0CAFD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394600Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:29.051{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA79AAEF96A919B903F8E4F62DDAB9A6,SHA256=CF9E60F51EAD4508FD2AD921378A71808E96E5AC67E79CBE348C3DA647E8DC46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449683Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:30.871{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4942302B573F3020C29A927DB2AD4F7D,SHA256=11F5F9060D64EB3F2F84868E5D42296BE1C40D50181ECC369C78B595DF53F833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449682Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:30.025{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394602Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:30.755{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394601Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:30.098{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBC4AD4A001F63DEA4B787A70B07475,SHA256=41EF651905C1A7BDFFB560557FF81064F31ABFEB01A65D6EB75B8C66998679B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449685Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:29.458{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001449684Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:31.885{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1691AA44BF9794CB3757C1145A30697D,SHA256=96BADD76A7FACCA39E7B5795E194A70293A8B160570601651003FEAEF9D7F362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394604Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:31.114{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823AD7A82EF559FAB3F64E641D34284D,SHA256=62E8C8A6631248CF5150E22D8F4D7E77CA636926EA8A2A0A5EE7882FBC093232,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394603Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:29.315{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53685-false10.0.1.12-8000- 23542300x80000000000000001449686Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:32.903{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA20620050178B28D719AD703C0066E7,SHA256=11D768BB823355DB72B807A1EBE246F8C0CBDC9354535A2B1E4F39A10295988E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394606Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:30.924{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53686-false10.0.1.12-8089- 23542300x8000000000000000394605Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:32.114{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D21281E4D255835885328B423D00734,SHA256=0720FA4B92816B52DB0AAD01C8EE688E722FBACEC0E0969722E53EA93D0D7DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449698Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:33.921{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD84417AE4573E5ECFCF5ECC2A18FA6B,SHA256=6E2100D811850994353281210D48C393A43AE1F334DC3939055E19382EDF9D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394610Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:33.458{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=259381BEC7ACD69AD8E5B65FDFE62D6B,SHA256=2926AD1FECD3B3585A1BAEA3D03C3EFEE3ABAC90A3B6472079AAEFD4C6DD3DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394609Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:33.458{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAFEE7B8A3695E6644191F752305EDB5,SHA256=0A5FA579198E82505755F4C37649F002132EA297262B6324033655F51AD784B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394608Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:31.858{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-27359-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000394607Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:33.114{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A625AA0BA0E7868769E4F22C567C20,SHA256=148CFA43625F305D4DA1621F670967027EB04F1B5C48DFFAA2C6176ABDDCC710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449697Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:33.783{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B86E01AC1023BA7438022369192E46EA,SHA256=76164195EE5EA1297BDE9434C830882CFC50B26B396A247F90334C6CDA3AD71E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001449696Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:08:33.321{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001449695Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:08:33.321{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x013a27d4) 13241300x80000000000000001449694Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:08:33.321{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77196-0x794e0df9) 13241300x80000000000000001449693Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:08:33.321{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719e-0xdb1275f9) 13241300x80000000000000001449692Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:08:33.321{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a7-0x3cd6ddf9) 13241300x80000000000000001449691Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:08:33.321{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001449690Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:08:33.321{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x013a27d4) 13241300x80000000000000001449689Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:08:33.321{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77196-0x794e0df9) 13241300x80000000000000001449688Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:08:33.321{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719e-0xdb1275f9) 13241300x80000000000000001449687Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:08:33.321{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a7-0x3cd6ddf9) 23542300x80000000000000001449699Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:34.935{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AC5EBFB5035C39B487D5CB662D6151,SHA256=1F5543AF293F2CB02E4A6C288B54F6689D4C6CFAAB07B384C7E49C0AB19F60DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394624Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.614{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0452-60E3-F809-00000000D401}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394623Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.614{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394622Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.614{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394621Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.614{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394620Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.614{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394619Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.614{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394618Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.614{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394617Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.614{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394616Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.614{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394615Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.614{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394614Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.614{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0452-60E3-F809-00000000D401}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394613Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.614{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0452-60E3-F809-00000000D401}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394612Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.615{7F1C7D0B-0452-60E3-F809-00000000D401}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394611Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:34.114{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12059FD76670202575CBC3F1BDAE398D,SHA256=23D5C560FBB80C00647046206E0640C18C1E35FD30DA691C35B0C06B06D8678C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449701Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:35.950{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487B2A4DA726BCB759986654DD413234,SHA256=54C8E8D0B37864EE6E6C6C78DEAC896E0CF8513704A43D834A944690A39A40B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394653Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.786{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0453-60E3-FA09-00000000D401}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394652Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.786{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394651Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.786{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394650Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.786{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394649Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.786{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394648Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.786{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394647Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.786{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394646Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.786{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394645Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.786{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394644Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.786{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394643Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.786{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0453-60E3-FA09-00000000D401}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394642Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.786{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0453-60E3-FA09-00000000D401}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394641Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.787{7F1C7D0B-0453-60E3-FA09-00000000D401}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394640Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.645{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=259381BEC7ACD69AD8E5B65FDFE62D6B,SHA256=2926AD1FECD3B3585A1BAEA3D03C3EFEE3ABAC90A3B6472079AAEFD4C6DD3DCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394639Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.317{7F1C7D0B-0453-60E3-F909-00000000D401}12963840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394638Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.130{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44AD356246B55B0BED9C8B2346231BB5,SHA256=121321017AAB46E0EE38FB23D1EC789F15C70ABEABB1F1A5D25CD66884962192,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394637Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.114{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0453-60E3-F909-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394636Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.114{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394635Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.114{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394634Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.114{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394633Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.114{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394632Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.114{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394631Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.114{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394630Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.114{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394629Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.114{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394628Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.114{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0453-60E3-F909-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394627Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.114{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394626Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.114{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0453-60E3-F909-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394625Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.115{7F1C7D0B-0453-60E3-F909-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001449700Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:32.608{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449702Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:36.998{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5529F2C8325620D0E758BF3BCCC188D,SHA256=69D3507A20941CFA758E073E3FE9906EE1C12FC8397D882D69A2C643921F8D07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394656Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:36.786{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD756F7F261E85E0A0208EA3B690D49B,SHA256=5865468C8E0429621937911509F15BD8061DBA5BC81BA0598D98F529ECE4D8DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394655Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:35.252{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53687-false10.0.1.12-8000- 23542300x8000000000000000394654Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:36.286{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8157A18431B921EA528BE739A513D55,SHA256=298B26000438D689335A62FF20AE245576C3DDDC7657AC017CADE17FC1E8F5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394657Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:37.348{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F994545D121ABE41C8AB32465FD6D23,SHA256=C53F1839639632DC2DFFFE5081703ABB711C78FD6F8441075F83E11B4FDF5699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394658Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:38.411{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C962DE56C6560D6BA0EE196E7DA77AE,SHA256=7C5343A9F4725FF69FBD96E71D68178D2CD97BFAB8CA34C2A11E997814257D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449703Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:38.016{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285BA0264D6A500C9EC065AF7E65BAC1,SHA256=DEB6AC7D88E43E5AD4123C3E11662F9E75792C5D7F1A735E10974C957DA2B32E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394686Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.770{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0457-60E3-FC09-00000000D401}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394685Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394684Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394683Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394682Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394681Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394680Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394679Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394678Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.770{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0457-60E3-FC09-00000000D401}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394677Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394676Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394675Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.770{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0457-60E3-FC09-00000000D401}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394674Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.771{7F1C7D0B-0457-60E3-FC09-00000000D401}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394673Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.614{7F1C7D0B-0457-60E3-FB09-00000000D401}18843692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394672Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.536{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F93EAC4D805D223665F5B90E1CD9054,SHA256=46CACF24EA3571C5C321807FC509D2E1A4956D4B738F35CA650A674B88D31F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449704Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:39.046{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F455B504760B1AA484B8E66A71B07D,SHA256=3857300CFA07ADB5D675253FE14020CB0529AC425FFFD1C662BB4135F50A4ACE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394671Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.270{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0457-60E3-FB09-00000000D401}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394670Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394669Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394668Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394667Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394666Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394665Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394664Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394663Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394662Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394661Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.270{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0457-60E3-FB09-00000000D401}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394660Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.270{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0457-60E3-FB09-00000000D401}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394659Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:39.271{7F1C7D0B-0457-60E3-FB09-00000000D401}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394716Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.770{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0458-60E3-FE09-00000000D401}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394715Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394714Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394713Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394712Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394711Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394710Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394709Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394708Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.770{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0458-60E3-FE09-00000000D401}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394707Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394706Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394705Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.770{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0458-60E3-FE09-00000000D401}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394704Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.771{7F1C7D0B-0458-60E3-FE09-00000000D401}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394703Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.583{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B5EC92BA15A0B16E2865DC13D9AC2C,SHA256=BA356F5F6CDDEC36D14E1A60D80AF3F5D22C8ED262936463352DC5EE98C40C3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449706Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:38.601{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449705Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:40.076{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95F21FA3C577726190C7B3E511F195D,SHA256=A2800A57DF382097A87F501F151760D79862C4DC1209F9A153D9BCE1A20C2B0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394702Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.489{7F1C7D0B-0458-60E3-FD09-00000000D401}31001964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394701Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.270{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0458-60E3-FD09-00000000D401}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394700Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE2DD0CEED257DE460C08FC31EF396C5,SHA256=8D467F325249B6F7732193A927C3D5EC5205C08249935C10AFD6AA392B0EE910,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394699Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394698Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394697Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394696Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394695Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394694Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394693Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394692Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394691Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.270{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394690Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.270{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0458-60E3-FD09-00000000D401}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394689Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.270{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0458-60E3-FD09-00000000D401}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394688Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.271{7F1C7D0B-0458-60E3-FD09-00000000D401}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394687Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:40.020{7F1C7D0B-0457-60E3-FC09-00000000D401}13723408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394718Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:41.817{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2434B821F23C29367D42625BEFF846C,SHA256=3826E92225DE7D70801CE1B2B865F8EEEC8B37B750F8721E7BEE601A0B7D6465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449707Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:41.093{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0ACC45BEBBB6A1F11B15D196CDE7A5,SHA256=94DFAAB83A40D28DE8C0C8056D6612D150379497231EC1A161F25079AA4B380D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394717Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:41.489{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F984D506CFDD649B8ED0D87232ED1264,SHA256=BB9A7B6323CFF1AF6C81199C6A4F60D2AC9A3D4FAE9F3BF8BAFCAC8D86CFF34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394720Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:42.942{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2C82C37885E4D0177D683F4CA93FAE,SHA256=3C4CA770BFD6906949B3E35A7E27196F6002BF0A9DDFF4A61779979100679FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449708Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:42.102{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E76B705CC78DDFC84FFA77EC1ADA111,SHA256=F60BBF202FA8031E33D94637E8FA24508407BACF2EA721C75AAD92A4F0CC5BD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394719Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:41.268{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53688-false10.0.1.12-8000- 23542300x8000000000000000394721Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:43.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0346746FFD31C9F23E5CCCD21C0764D,SHA256=2792C072C25F64BBB08FF7618D17E6233E10639C8FAEC02FE826FBB384465288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449709Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:43.137{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D577FE2D8B3A5AA74F671009E2E3116,SHA256=66E2E46C95B2B366C4BB08D92555EF0E2C31BD9B628078A0BEB8A2F01FC9DC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449710Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:44.151{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991559A1B95968224021C24B37859147,SHA256=1975129D3E80A6DDF69A3AFD603CA36D8884EEB928B219BD8FEB87BAA89872E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449711Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:45.166{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA30728682072B70DC1596DD1CD558C9,SHA256=435EC3F7B03A8C3C8E26DF40F02F89D121EC8DA31A7BA401A2B5577E7F0FDEC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394722Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:45.067{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B00992C29E86F94ED9A21C0E48B1B17,SHA256=17165572FF66CB72BD892D69574AEBE9F1EC5C648310F34E35E878C44DE3601A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394725Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:45.294{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-64997-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000394724Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:46.333{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1A5D2DE2555C96919EE0579A6ACF1D5,SHA256=0128003D4521D357ECD922C3D91F921855E9B907ACCC1EF6757D5D2919D0B5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394723Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:46.067{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9D11D45DBFC5077BC97268A117A473,SHA256=2282B3CCE6FEE4C4583D3E1ADCC923595297945D91BF6DC03FA73A1DED3F7C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449712Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:46.198{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A3196A3D82C71EC99121D786A4DC52,SHA256=8DC2B8B23F6BE83DC666A6A0DEE2521BE1DB147F249669FF027EF1B0E6C53FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449714Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:47.233{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC71C805D1ABFBFF080D13B885B131CC,SHA256=E447E15CF278BEED195A84BED049473E221E0C12D8B85CDC94A9CEA6CD219EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394726Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:47.083{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39E1F7483F8EF24DED50EE7FE9452E6,SHA256=FFAA4E75166438B643D7A56DD5543C48EC01D7452B6C636B3DD65ADC74F342A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449713Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:44.622{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449715Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:48.248{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E240ACADEA82DD29356F66D4D7A3268E,SHA256=1CB19FC70C264DF152C09ABC6476E6288627BB3FA910DBE4AFC9D8839F21D5CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394728Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:47.252{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53689-false10.0.1.12-8000- 23542300x8000000000000000394727Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:48.083{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE26A1F3FDFD60E7C572EDABD661BDB,SHA256=09F787307430D57F2631007BD9AD6A3B66A41C8D308BA0EC265360B7C775F7F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449716Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:49.262{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD2376A5697EB876DD4E3D376E05513,SHA256=DAC481C572EA22533E92138746AC1E967DFFC854ABD0111FF4F599C7D8226F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394729Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:49.083{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134127E781693980026934E2E362587E,SHA256=5E42E55345EC402A27680577D146B9B10D7D9136BF23B232C034D680C54F520F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449717Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:50.277{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA96BD71219AFC807F9C2E940F94B6B,SHA256=5761016F098E0792D12670F21A88924CA34D8071F41D095369DC4B530950A02D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394730Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:50.114{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469BE2EB28706AEC192F09E8176E298C,SHA256=338760CF135E4D5FFA1755BD8F53C203BBD114F3BE8C66F4496720240EFF4184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449718Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:51.293{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A848805076C5C658EFE9B2004B98D403,SHA256=6ABCDB83DB91F2E34978AA865809CFA40450E3390F039566BF10449844D1B22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394731Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:51.114{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDB10A78C28BAAC709C21EE1E2B1FAC,SHA256=B677171BFDFE80EE88366FD5E9637F1B350C3EADCA9EEC426EA06D6A51EA3B61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449720Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:50.647{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449719Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:52.327{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC5695FBBBFF2F3888F7D7DBF7783FF,SHA256=601B05C55B00350F7A4EA6114B859984B75DBEB2B22A85AEA11E7F80298CDB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394732Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:52.114{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09025A8C20F9D2DF3521E199CE133768,SHA256=18D4A50E3EB432E04B6727CB3053643FFB09EFCC3D02C38F7566EFC6C59FA331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449721Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:53.357{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E482FF6C62C88DF4197A5EFDB236C73,SHA256=64A3E1BD6E96508F47F48544EF779A3B0EBAEC24383F78666EB9AC1B01CB4438,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394734Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:52.284{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53690-false10.0.1.12-8000- 23542300x8000000000000000394733Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:53.114{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8BF66F27B6C2791C59E5F0B817532F,SHA256=AA71DDC10AF861B62B15E69E5DE9FC4745C467F69BB43DE2CE1A047BCCD391DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449722Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:54.357{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBFCD871E15CAB26036E2282A2B082F,SHA256=5EE334A8D92B6A34C9F3656787F7516EB139BBE88842B9A102955154ACBD2A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394735Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:54.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D92164BEA339C7E79E3C62D5645186,SHA256=3A3149E4BF27075B8325486A2814205B2CEE224DEC22C4E39C665F1DA886C297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449723Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:55.372{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9423952968B8684D5AC4DDF7A83CDD65,SHA256=7C9EC05E28059B6E5F81088F2BCC7B72258A85D6E3C6225497ED8F148F3F39B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394736Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:55.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CED0928F1861CA233F204DD4E2563E,SHA256=8F8DC1BE448FC410D9206E6A2EB491C2A1738A832EC0C90DACC6EDE9FB68C86B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449724Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:56.390{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D1F534B563191270FB9463175BFAB5,SHA256=BA2E331838CEE9FD2B0DE3D6E10C64849F0317AAF7962194E8749D039C60CD39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394737Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:56.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48A8BB0E31C0CD5FF8AD98E0E9A3C24,SHA256=DD5B598E0CB7E5D565293945BDF5BF7D799A6594CE90EB3D57F77FD3A7C8BE9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449725Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:57.458{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991A89AB302D7682C50ADEF5C127F253,SHA256=FB28B6DE77F2730DB64496958C56E7EB1A801854B6BE51EEFE26AD1DC50E3468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394738Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:57.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19723FA2960EC56E92A85CF5DE074381,SHA256=BA09AFFAADB820CEDD3EE5771F01C18D58F1B6B60AF848DE271F138951E3FD9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449726Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:58.473{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CE3E23C8BA3CFD4067AB5DCB4AD665,SHA256=0B866ADFB78761528526263E82ACDA3CF1DCC8735CED7167FDECC704FE374411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394739Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:58.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2DF1ABF2362EF4DB7F0F49E8B11E99,SHA256=8F98967B5E338541600C9AB2D8C575531070209AC59EB16662A8AF2B05276CC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449745Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.941{D694AEB8-046B-60E3-8A0A-00000000D301}52324128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449744Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.741{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-046B-60E3-8A0A-00000000D301}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449743Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.741{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449742Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.741{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449741Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.741{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449740Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.741{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449739Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.741{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-046B-60E3-8A0A-00000000D301}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449738Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.741{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-046B-60E3-8A0A-00000000D301}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449737Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.742{D694AEB8-046B-60E3-8A0A-00000000D301}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001449736Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:56.649{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449735Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.492{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3341F15B0FFE0B715DCCECBF314F95,SHA256=DE70201D29E28015D393184CFBBE61F9318F5BE48DCFC87BC569B0FCFF092FA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394740Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:59.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D8FB76AA20FAE0873749444A5ADB76,SHA256=237620FDE1C49C9789C85B7DB931818D8A016F8C6CE67833DB208435AC7D385E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449734Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.142{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-046B-60E3-890A-00000000D301}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449733Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.142{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449732Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.142{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449731Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.142{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449730Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.142{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449729Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.142{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-046B-60E3-890A-00000000D301}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449728Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.142{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-046B-60E3-890A-00000000D301}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449727Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:08:59.142{D694AEB8-046B-60E3-890A-00000000D301}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449756Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:00.524{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C73A9F60066CD69383267BE102BBFA5,SHA256=9DA6D1B290CF729BAC095D4886A68BA8A1E4355EA74A71CAA92B224C0382D319,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394742Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:08:58.268{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53691-false10.0.1.12-8000- 23542300x8000000000000000394741Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:00.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01985334563A5761AD1D173DE4CAED95,SHA256=B3F46755C0109A6B0CF52B289CF7D495F4BB349A992926636C96BFB7DAFFB331,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449755Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:00.356{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-046C-60E3-8B0A-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449754Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:00.356{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449753Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:00.356{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449752Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:00.356{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449751Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:00.356{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449750Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:00.356{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-046C-60E3-8B0A-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449749Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:00.356{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-046C-60E3-8B0A-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449748Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:00.357{D694AEB8-046C-60E3-8B0A-00000000D301}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449747Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:00.325{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7541DE1DF8CD6C1BAB5631665CBC5F8,SHA256=1F43C8421C9AC0CF325A1AF410FB5098C1C9673F96714091527B33C9A4DFBE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449746Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:00.325{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA9C501A082040DC85613847B61A20EA,SHA256=77A170C4B763FACD3BC237A56DAA6225F7CBB3ACC634DC2C63718910DD88E076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449758Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:01.539{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA96403211165C994C5F2D787AA1726,SHA256=CB62B377F160715556512C428651766472FD5A8EC1084912B10253C8763C1164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394743Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:01.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA732087BDC0D9F8BCFCEFD8D4D1E6A,SHA256=A15DD55C1996830C4C8083539DF1A5E0F6176797168A4F3B07FA0605F3CA0C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449757Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:01.390{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7541DE1DF8CD6C1BAB5631665CBC5F8,SHA256=1F43C8421C9AC0CF325A1AF410FB5098C1C9673F96714091527B33C9A4DFBE23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449767Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:02.922{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-046E-60E3-8C0A-00000000D301}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449766Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:02.922{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449765Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:02.922{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449764Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:02.922{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449763Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:02.922{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449762Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:02.922{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-046E-60E3-8C0A-00000000D301}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449761Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:02.922{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-046E-60E3-8C0A-00000000D301}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449760Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:02.922{D694AEB8-046E-60E3-8C0A-00000000D301}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449759Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:02.553{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DC4131F2C0C2E3762A5CB9934B99FA,SHA256=7587A630BA5A421B739B64959C37889DE25EB84A061A72437B7AEF520721064F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394744Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:02.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88B09CAC74E1C31B08F2EE239549A7D,SHA256=57B3CA0952A9635A48601D5E973673E8BF88F77BEA661D3DBE8970AE606A5898,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449778Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:03.722{D694AEB8-046F-60E3-8D0A-00000000D301}7365316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449777Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:03.591{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-046F-60E3-8D0A-00000000D301}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449776Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:03.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449775Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:03.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449774Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:03.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449773Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:03.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449772Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:03.589{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-046F-60E3-8D0A-00000000D301}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449771Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:03.589{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-046F-60E3-8D0A-00000000D301}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449770Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:03.589{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D505165052A498A886C0D8FC10C7F0,SHA256=D75AE13E9E33DE651986C85C53043D5EC98F862E42BA73E3C02E46B26D6E0B03,IMPHASH=00000000000000000000000000000000falsetrue 154100x80000000000000001449769Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:03.587{D694AEB8-046F-60E3-8D0A-00000000D301}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394745Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:03.208{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573C3EFB2A2E4DE33CD1DB46C13AD9A8,SHA256=3A5AE8F0C6CF2436D9DBED3A1EA1768881FBA0F6132D79685139526DF76A43D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449768Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:03.090{D694AEB8-046E-60E3-8C0A-00000000D301}68844956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449797Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.927{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0470-60E3-8F0A-00000000D301}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449796Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.927{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449795Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.927{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449794Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.927{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449793Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.927{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449792Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.927{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0470-60E3-8F0A-00000000D301}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449791Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.927{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0470-60E3-8F0A-00000000D301}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449790Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.927{D694AEB8-0470-60E3-8F0A-00000000D301}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449789Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.612{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63CCD5EEE4D05A42540B65B5DCB745CD,SHA256=01D220E6F5590BD727824A797C7671EBF9AE67A802CAD6FBE0099608A30137E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394746Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:04.208{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2470CD368B6CEDAC93AAD3DD83B1F93,SHA256=2CAFA1CF89215B0CDE7C2E0C58885D6E1F99D2AC89B6F1ADA462B13CFA9AEB73,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449788Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:02.662{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001449787Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.252{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0470-60E3-8E0A-00000000D301}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449786Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.252{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449785Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.252{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449784Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.252{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449783Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.252{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449782Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.252{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0470-60E3-8E0A-00000000D301}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449781Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.252{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0470-60E3-8E0A-00000000D301}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449780Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.253{D694AEB8-0470-60E3-8E0A-00000000D301}6752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449779Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:04.021{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AFF0EB11BA1067980D327300DD1FB5E,SHA256=D83833219B1B82D07E54C6F1961AC5E2FA81ABF5E2C6F0C510A0491337FC9E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449802Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:05.642{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67BA82CD8330F72E32F4A877F5150129,SHA256=C668D7E8B432F1CEECD07B2F1A03C82715E50FD4CB432FEC42CC8E22B6C4833E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394748Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:04.237{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53692-false10.0.1.12-8000- 23542300x8000000000000000394747Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:05.223{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F0D085F63D03A211FDB91D0EFAF692,SHA256=16617149DDE4C77A494B0BDEEF901EFCFBFB89FCA5F6FFE2BA276975AFCB274A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449801Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:03.124{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54297-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001449800Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:03.124{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54297-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001449799Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:05.257{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5CF0015EDE9B7D4DD42A490027110EE,SHA256=CF1A320A2142A405D54593B8992F95B0A9B66E05884BA65A04DF9EF4BCA6D3F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449798Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:05.073{D694AEB8-0470-60E3-8F0A-00000000D301}57805604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449803Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:06.691{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871EB5C26D34AE217C9C08789C53F32D,SHA256=CA54CA0156C4EBC0D56F316B8EBCD2F96DAABFCF122F6FA1C6A37248D3503BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394749Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:06.223{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEBB994C1DD5339466AF227A5E77196,SHA256=7F97D13C3B129C6408EF1931B4223AEE672F6A4FAEBED34551C1AE120A7E115E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449804Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:07.709{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9A113729F1841B53C21A2E7001C356,SHA256=C9166AA431733D1D32B1E25D1E7F80396BD3074F37E34AD2E8C7A953FD268A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394750Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:07.223{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148DD2337FDAFBD8BF9F8CC0857C697F,SHA256=96130FA12376E7F50C75317C5AB6CF026E8C8D987C4A30FA9F747FA8A61BD88F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449805Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:08.725{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4A0BFC8A73D38A4BE1DC3598107584,SHA256=5C5CAE346DAB6F43633294313EF2DCDF52386D06687A62184D020F23F22C51D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394751Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:08.258{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874B8FB132D08F6D4E0F8CC575F45182,SHA256=AB18D95D7F4CF6F6738A0363E593CCBC73A276C7926D73FAC16C7721B9ED627C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449806Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:09.739{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D255F9DF88B55A7E00381BCB96C2B36,SHA256=985F9AA0C464EC84FCE00A9E459F584A62F41459121EA63C04544126BB6BD147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394752Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:09.285{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58C4606AA1221737BAD53AB8DAB9F20,SHA256=886C6A2170BE27D22DC8B7B31B8741DFD696E70C8FA58569F9D44974705048F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449808Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:08.664{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54298-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449807Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:10.754{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B65D1FE60ED8305EF793801ABA70FD3,SHA256=DE8EEBC6154761E9B931C25F0430962C9FD7D9B5473AA8A37F7300DEB1620653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394753Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:10.388{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA529945DE9B7ABC597B73CD7AF4F1E,SHA256=6EF427932F39A361411EF9EBCC4B16DDE377C99A51D63EB981F09875FD3CCAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449809Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:11.769{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0556CF77993D92CDE44E9F243EEBD9,SHA256=BD6A8F297F7B39826463D44243E165FDA7DEAB7C75794D33A3F91D832EB767D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394754Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:11.451{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C317EA7D58FB26789C9379886F3D938,SHA256=07DD92A480887977F2F1E0EB7A1E9F14CE9F392CF50226DDAE9E6709E081D5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449810Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:12.786{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04875EB612D1BA706C67DAD4566A0FB6,SHA256=8C9BEDC269C67A1D57B135AFFEA96ED0E063061D0095F08BA2B8484A6D01BF08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394756Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:10.236{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53693-false10.0.1.12-8000- 23542300x8000000000000000394755Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:12.482{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16530C31D3E3467625700BC67861A715,SHA256=AD9B3FF1DF17D4E7A4EB5913D4873F81BC018AA0068DF5F4099EC20FDF230EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449811Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:13.804{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098F1FA8D894392DDF9625C88211E206,SHA256=4A8A9EEF035830BBECFC7E199A1C7854185F0D36B3C18344195EC5E184B0486C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394757Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:13.482{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940AFEA0FAA5206DC135F67EB9D9E65E,SHA256=8BE31433F91055F344FE84F1A4EF9B8A173E1D863794354FC5A8394C03A05963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449812Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:14.834{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5D4CE47BDDBF8EA323739FA67D2134,SHA256=1EB251FA974AA58BF21D862D0143D63010B80E83440403D9B80AC8D4F79636A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394758Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:14.685{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67AC841A95728DA6AB214087AACC120,SHA256=6CFE5F9E887DDEE73C93FEC8EB66DAFEE477227B059F41E3989A8085C15A3152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394759Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:15.716{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BFD6AC1696573295D53BDF27D9424B,SHA256=BF6DF44A6E0C31CD5FD76E9BFC3797AC57812269F6D88112513D59ABECD03ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449813Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:15.849{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604D29CB16962AD6D9C9043A3A10975D,SHA256=E3D1B42C4D96760A90E9E05B71B58D3E8BD3D305793D92714F447AAAD3858A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394760Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:16.795{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB79AAD9FD0133BE15CD74A599297413,SHA256=9D3EFBCC010D0248F29CAD74D42896F4C21F3DF239E337D0DC179EF46C233EB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449815Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:14.673{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54299-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449814Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:16.864{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9124120019FB1745D459A18D4E72516B,SHA256=92B8B0344CB19D81DD606E28A5FBAE586AB5F29D08FBEDC690824B8B174678F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394761Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:17.795{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89899B7159DBB8BA131E9092D989806,SHA256=7619B6B50536BD35EA7584918E1C3FE3D7CFFAC48FED6738F578A32833C8E59C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449816Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:17.882{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F959D9C628FA6917940FF500936388E5,SHA256=B6CBBF452CC690EF6F95E0BC9A9DC2568DB095C2D0E4AADC71D8A6296826C67F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449817Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:18.900{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D851025326FAEBBDF1D3EC5A75EBB916,SHA256=17F199E84C6E95C1FA0939C24984D708C71A79819520E616C6ACA69F031BD961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394762Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:18.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00E6CF2EE4B565EE4CC0BFFAC2031E5,SHA256=9917AEC6F8509DE420359CBA6D55CFD78F2F82A4A3AD27AF6CD858C636CCC63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449818Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:19.915{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2682D365B959A9B35C47AC76A0E6173,SHA256=DBBD0AB82A968794470DB066621306BA757BF5F06CEF3AD6D6FCFEB9F2A8F497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394764Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:19.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11392506AB79FEB3F4CAF5A4A21D0A6F,SHA256=AAA732516D2A479C0A4626EAD7816B930104EA6C6F918FA32B95539123600158,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394763Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:16.246{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53694-false10.0.1.12-8000- 23542300x8000000000000000394765Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:20.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8BE38E15B3EB741F5E47D8446CBB94,SHA256=4E771A4C6A69CD783615E7549D8B9BD9502B0EF961753FE0AC4DBA9AA61ED44A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449819Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:20.962{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FF2D4619630E7BBD0BAA29C321AFA6,SHA256=36BA6D39214470EDE62260B825B056B6216C91C2D5150290D7F39EBA19447DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394766Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:21.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274B6D195E72F67C092DE6243DFE0C7A,SHA256=3588936C6C058673C64907AE91D1A0AEBAEF370B656194E7950316FC29DC9334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449820Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:21.978{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9803C6BDA97DA555ED4094EB37D6100E,SHA256=71641AC20617DBF714B54DD4C3865FF354BE7D38ACA51AA36F8B0D6937C21583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394767Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:22.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FF5DAF21C410358F64552031908533,SHA256=D9D5763F2C332C9794A08B4726294BA7044931DEEFC2008074E3F4AF9EB62B92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449824Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:20.685{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54300-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001449823Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:20.446{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-24217-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001449822Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:22.544{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF8C5314D74EEA4AF6EC7300C9E5D069,SHA256=DAB3CBE48181EA927BBCF02659F909F4F4FC953C8B47104D37E724629A0CDF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449821Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:22.544{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64EECA9D0ECF17FCA094A94C40CD994A,SHA256=65D0EE11C5B9415B4C665FBA564FD98EB4A177EACE0F7E99B5CC067EF5753439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394769Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:23.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A5439B9C2D8E9232A92BFAD5067114,SHA256=6BED250AD47D79F53AB388C8D03B3D260915227404A73369C602EF25BA6E3B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449825Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:22.996{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7446C7ADAA676798F61A3C5EAE3F5D8,SHA256=D48524E32D7FE2300DD350670F8F794BEDBBC6104213DD6A9B3A42EDAFD92205,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394768Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:21.433{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53695-false10.0.1.12-8000- 23542300x8000000000000000394770Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:24.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAAFE48CE7AB7A0083EA130E0CCD930B,SHA256=24990275CF18247B86738CED31300126A1D8E530CDEDB4736A4B66A3205A96A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449826Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:24.011{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E313275E8FE4F6FF1AB3B0F981342FD,SHA256=56673EE3AFD3D28635A5D48DD9BE459F3D48E5D80F1609F2D3C98374D4EFE6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394771Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:25.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16EB75C8C333B956E60AE953DA6166A,SHA256=7843361B54741372C3D9D2E0691122ABDF0C1B69CE40D47C2EBA30A526B0F6CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449827Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:25.026{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CDB84CA558BD692112D451CF949348,SHA256=4566C982FC53EE0B9AB768EA837A50A6648DEFEF22680588DC3E6E30D1843224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394773Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:26.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2ED1D095644E5BD5480F8076494BDA,SHA256=42E7F6AC261DC66779346F0E1522407A31365098B95530C596137E4783C96838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449828Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:26.040{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C47EC7C814809BF5F82C80AA89DAE9,SHA256=854AFA44658C8056FB4215A5BC4ED4D1C497F9C1870E005A69FB2372B214E3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394772Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:26.232{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=29EC4B7A9B7CFE9A6B633B9C0F0321B3,SHA256=1FC1D6B27FDF86A24ABD7E94190C63FEF9EB12567F626DB7BF149D2BDEF9243D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394774Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:27.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9263F14CD392DCE63D8BD90D31A685BE,SHA256=11F4682ED034CFCD49F432A01D59AEE2FECF0ED51B1D9D452B5DE2B72851B3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449829Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:27.055{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD559312819866F0B5871493EFA9CCF,SHA256=980841727A9446735E6603FEC9331AF544BAB0C7A19783E8C2B5B8EADEB9C55C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394776Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:28.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748FC8A733997FEDADD41D1C255392D9,SHA256=2EA3F9232CFBCB1FC20ABFB0C7F961B530A4D3B3CFBBAE2A0DD6CC8F27E17F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449830Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:28.071{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F69A2662D7E771185DD910F5EA19C69,SHA256=5E6B3C098D8FF9881B8F7557DBFF8E29505ECBE410DEE42AB9C6D0F3FA4F6E44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394775Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:27.434{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53696-false10.0.1.12-8000- 23542300x8000000000000000394777Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:29.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4EA8A4C29C394F02A061FD57B358AFB,SHA256=6FE65B5DD08EA5C284860811076065BF79CF1093659095AB9F6866AF6CAFBE8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449832Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:26.679{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54301-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449831Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:29.091{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A45C9CF91830998A1B8ABD12B2B368,SHA256=5645744E756E4A9E6406A68575CA4E3C9C83A3D0F26E409ACCFA22E0BC54E41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394779Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:30.951{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E95FE76B3867D11D874CDFEC829255,SHA256=22327355012F94967A371B56B485C42D28FD55619ED6A781F0B131F5E1C06AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449834Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:30.138{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A3E439A25B876D7C70873F8F776014,SHA256=98DA3F88281886EFEC85C7DFFED6CC124D43673F59C63DA248E477B8F62CACB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394778Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:30.779{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449833Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:30.053{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394780Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:31.982{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70CD00028D40957A725F1BE92F8CA1A,SHA256=4932D5A7357A43D0EE932EB4111FC7F526FC9CDDE7B15BF26683E8517EA217BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449835Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:31.170{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD196C3D6329B795632867159B816A25,SHA256=A12E66DDE7EA01F4DEF547BF1DCC7EE3147F5D204308A568164CC5C15B843CD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449837Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:29.493{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001449836Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:32.189{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A075BEB8A4EA22FA57197F357504FA91,SHA256=D4A993D41B2BC3DD261FCAC98ED70824B05593DB4DAE5056A0764E1579A46A97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394781Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:30.949{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53697-false10.0.1.12-8089- 23542300x8000000000000000394782Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:33.029{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DBEFE6AB5B60DB63C5095B1EC26F39,SHA256=A3EAF0B9A6FECE6221F7E950DA98F5F0D63C9BCC3DA4C44FC4DE65B5117295F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449839Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:33.787{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=87499DB45C7A6D86090C42988424F65C,SHA256=841CF46F2AB25F5311A382D962B8105E55448B8A4DACB6DA62E0FD2136D589D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449838Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:33.203{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF901BB6AC42F40E3F3C004142CF643,SHA256=4662FB0075FC6251AC6AC852F6D4C88CAC451D929B235AEE2CD5805BA79FAF06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394796Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.623{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-048E-60E3-FF09-00000000D401}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394795Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394794Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394793Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394792Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394791Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394790Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394789Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394788Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394787Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.623{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394786Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.623{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-048E-60E3-FF09-00000000D401}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394785Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.623{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-048E-60E3-FF09-00000000D401}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394784Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.623{7F1C7D0B-048E-60E3-FF09-00000000D401}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394783Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:34.060{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22DD603EC8CB886A0E032311764D9A6,SHA256=42A26FEC3E6D56A57B3D1FEDE24F54870FB237A2ECB8E045E0D97190746E5033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449840Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:34.218{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF06D1EE46A1A536D693A54708D9545E,SHA256=E82BC94227463FF1E953CE1021CA120ED6769F2180F9626F165F1094BCCC0B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449842Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:35.232{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDC85CF326E501479D5B2458560C5B3,SHA256=67D6EF205ACF0EB79650F86CF02C068D9AAC71C763981DD73BAAA689471A9492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394827Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26C7FB4BFEFBCB37E8171B377EEB6C56,SHA256=5B4AC3F2BC4219FD7F7A6CF3D5E9CDB5BD53C3BA106FE9E1C7215793BD3E5C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394826Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFF68E6BFC40288402D6A5CBB8E2AB8C,SHA256=E99E4245D153F0FF55FE5223567BDCF729C851F4FE6721D1B894134175B00728,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394825Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.795{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-048F-60E3-010A-00000000D401}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394824Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394823Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394822Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394821Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394820Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394819Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394818Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394817Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394816Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394815Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.795{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-048F-60E3-010A-00000000D401}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394814Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.795{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-048F-60E3-010A-00000000D401}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394813Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.795{7F1C7D0B-048F-60E3-010A-00000000D401}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394812Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.513{7F1C7D0B-048F-60E3-000A-00000000D401}2883344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394811Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.295{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-048F-60E3-000A-00000000D401}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394810Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394809Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394808Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394807Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394806Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394805Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394804Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394803Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394802Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394801Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.295{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-048F-60E3-000A-00000000D401}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394800Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.295{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-048F-60E3-000A-00000000D401}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394799Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.295{7F1C7D0B-048F-60E3-000A-00000000D401}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394798Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:35.138{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591B28D5C756C71FAA617AC4C30DE5ED,SHA256=8A46C282C64EA247A216D687F2DE4E847192C3152ED07575DF46E103E7BA70C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394797Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:33.449{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53698-false10.0.1.12-8000- 354300x80000000000000001449841Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:32.690{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449843Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:36.264{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EAA21C574395748145490C9694BB190,SHA256=B13B84103E3A1C7B5DA54C79213F45D96C40B3DCE79889A240E208EF128A7F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394828Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:36.248{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6BBA109618E19F7DF5C90A934073536,SHA256=611839AE6A08006CAFFBE15D9EEECA0D77DC14F58417DAF813F991C9ECF344C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449844Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:37.298{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA0B11DDAA74FC232C2A9DB1ED78B31,SHA256=B8D5AAF3D9DB2870997B933BC2C2DE2F92466A94355A02D2B468F1A1F9FBC708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394829Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:37.248{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F5FFC89B631FADA7831B34E3DD6EAF,SHA256=40CC92A7E023204DD8FB5DBCD39024988853B45158EE91413564FBEFD68B15F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394830Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:38.263{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57C9F006828505211B49774145104BD,SHA256=C0271350DEAA37F7AF2DE446D57BF35C42083EED4CA19375A538F8ADF26DE909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449845Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:38.313{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754CF54080135BEA1AE9F108BB0C5F14,SHA256=F05E58454B2C7C57301E752AA23CA145B03CB5FC293F81453F981CC1F1D26432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449846Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:39.361{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120FBBDE09ACEBBFDB44131201304AA5,SHA256=87DE26F44CF2679023F5BBB4C74C78169A1B75D525D981FA799FB98FCB631424,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394859Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.982{7F1C7D0B-0493-60E3-030A-00000000D401}9681760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394858Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.795{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0493-60E3-030A-00000000D401}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394857Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394856Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394855Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394854Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394853Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394852Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394851Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394850Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394849Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394848Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.795{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0493-60E3-030A-00000000D401}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394847Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.795{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0493-60E3-030A-00000000D401}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394846Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.796{7F1C7D0B-0493-60E3-030A-00000000D401}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000394845Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.529{7F1C7D0B-0493-60E3-020A-00000000D401}28763224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394844Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.373{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253B2F080CB829DDA2A4227ED1C2A945,SHA256=E9A883E71FEE1F5666C095277025AD8D40CC9B449B9DE2C8613108534F41092B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394843Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.295{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0493-60E3-020A-00000000D401}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394842Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394841Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394840Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394839Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394838Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394837Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394836Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394835Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394834Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.295{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394833Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.295{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0493-60E3-020A-00000000D401}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394832Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.295{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0493-60E3-020A-00000000D401}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394831Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.295{7F1C7D0B-0493-60E3-020A-00000000D401}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449848Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:40.364{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4DFFC1458479EE3F854EEBF0066CB6,SHA256=7F9BFB1F24AA2571FD02EBC7A940F5DBFAF39F6EBABA9E50A5DEF42E83905AA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394875Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.576{7F1C7D0B-0494-60E3-040A-00000000D401}16202308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394874Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA20B26F671FAC0133F446BB00D768DF,SHA256=CE786518C54184981BB53957FD8192F9D2625863132BB4CAA12D893B9CF12BD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394873Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0494-60E3-040A-00000000D401}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394872Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394871Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394870Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394869Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394868Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394867Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394866Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394865Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394864Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394863Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0494-60E3-040A-00000000D401}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394862Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0494-60E3-040A-00000000D401}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394861Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.420{7F1C7D0B-0494-60E3-040A-00000000D401}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001449847Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:37.699{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54304-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000394860Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:40.341{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26C7FB4BFEFBCB37E8171B377EEB6C56,SHA256=5B4AC3F2BC4219FD7F7A6CF3D5E9CDB5BD53C3BA106FE9E1C7215793BD3E5C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449849Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:41.379{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B2A8CF1251FAA072DCC30487A649B8D,SHA256=08B2D996624329FDE3BC8B7C89B4494952C9D474CED6D145EC12EE6767AE8C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394891Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.576{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EE9A752F4AC91A8DD138916CB6A2217,SHA256=2A439A0482E8AB7D82E8DCDF9E50EE573C963C84917067D6541B3728C05FF828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394890Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.576{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0987222399535C237FEB1EA3650E7783,SHA256=0AB255523CD865E6F09B82516682E1B4B64554A34C4D4E345D073F37F9453E08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394889Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:39.231{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53699-false10.0.1.12-8000- 10341000x8000000000000000394888Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.091{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0495-60E3-050A-00000000D401}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394887Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.091{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394886Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.091{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394885Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.091{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394884Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.091{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394883Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.091{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394882Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.091{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394881Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.091{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394880Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.091{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394879Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.091{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394878Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.091{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0495-60E3-050A-00000000D401}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394877Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.091{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0495-60E3-050A-00000000D401}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394876Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:41.092{7F1C7D0B-0495-60E3-050A-00000000D401}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449850Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:42.393{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145CC1ADDF7C50B6D9AFCD706777ED95,SHA256=63EDC357F559DBB479DE9E5DFE764241A813976E81AF5E1C79CA901C8CBCEB8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394892Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:42.466{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A98CC9AF36866F7CD024AF579AF6E1,SHA256=3AFC7E5D728A1E5E4DB77C88B73FE68C60A7AC246661B18BE266FF3206D35A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394893Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:43.482{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516E54D09FAAE288E42DB1CEB263EDFF,SHA256=334DD540CF19647840A7C3B76B327E189BB140652C3D5CD051AC826352609261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449851Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:43.439{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C8584FAC7B95B13B973254C3E71827,SHA256=2B89FEF2C9A73D83862739F14440DB8B5AC49AE0E79F65A8125E2F1A729B87FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394894Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:44.623{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA11F074789CF68158168882C86AFED,SHA256=847367BE0D5A08B8ADD58CC761C68F1AEF4D1A8582193EA5CC2D660180B98E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449852Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:44.456{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=393D964719ED7996208574B91A4B3D5F,SHA256=9E84F3CE039BD41384FCB45AD3EC695970465C3F5F0425D974F7273D45134BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394895Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:45.716{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0E5290EA2F971101F7C7AA29AA4945,SHA256=6DA98AA4D75B412BA9D7882F916DF7B00346DF23C46AC50C6BD2D1313C9CBCE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449853Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:45.475{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361F5D49A9E9592797A20FE3310E278D,SHA256=1DF1A16B1D413A488391E77DC3ADEF8B1318A0E9BFA3668B8D9B98481C75AF57,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449855Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:43.462{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449854Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:46.521{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB68AEE894C0C06D5C3BEFC800E58CDC,SHA256=2E803EB79A9A2DDEA55448B66946FFF27E5D146BFCBD0972F89CB6E2BF3275B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394897Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:45.246{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53700-false10.0.1.12-8000- 23542300x8000000000000000394896Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:46.732{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B57376E10E807CA52845437074F946A,SHA256=1FCB8F49E895EAA36A79731887E59FDF4D6FDFFB65C06977F96CB03B71145886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394900Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:47.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC0AFA70888C30C258D6DA30CA17A4D,SHA256=109D9A5CD52D1085EB95F8B630C426CE4BCEB834FF56F7E6FC06F4077A75DE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449856Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:47.536{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED99B9F906CAC53EF5D0FFB386FBF798,SHA256=6FEBA5126AEEE542E19A263235FBBCC2A9C8B0BB5B58E0270FEA51B26CCAD79B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394899Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:47.732{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D207D22A0D291A2AF2A2A12E3E5C3757,SHA256=2460EA8D411DDE653482C62B75D85982A196C1E2AFF7EE70999E4D13475FC0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394898Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:47.732{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACFF72E9F71AAD32BD5FF72BF647CD6E,SHA256=93A3243BF9A3D3ACAC50E6430649C463B10F0DC6D435A7EE4CE2707F4EC27E2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394902Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:46.612{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-52611-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000394901Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:48.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339DE50C3FFED6E7C4CA3962E656D65D,SHA256=293DED936920B4B7C74D249D64EEBEAA4A0D4167C43EDCFA01847ADD6B8257D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449857Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:48.553{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5822B2A0F669404ED44AE335466961,SHA256=31D7073E3480B7181A09E08DCE4B563796282D686D2FFD731CBBF41E4D3ED603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394903Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:49.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052726BF902006F132871FA2F0A36105,SHA256=66D6093B217EA353D074429292479BC240AB8523AD4902EFA61B8A4E620B2CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449858Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:49.572{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBBEBCDD223B90883B39079D620273E,SHA256=D9CA0950AF6B57DCC29435EA886F59612FAF53BD2AF7DC871BCFD76AFAFDF746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394904Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:50.951{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF6B5315B0FFDA142B17BF9286F6523,SHA256=46B98BA2BE93B14B10B8A9DD7BFCB246588CEB53B2E840D3BCCD009B5BA02CB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449860Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:48.706{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54306-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449859Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:50.587{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C848C90E0F7EBDA02278D30388E7EC4,SHA256=F7249430150933F739C6AF73C3B2CD16188BA291D0A35E1894A98B9BC5D33778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394905Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:51.951{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4649354C616DB548D5697F734F8564FA,SHA256=0022E3437FF539614F9B9B02DE950EDA4A43C4827B0D6AC70873CCB09D8915D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449861Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:51.601{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613F579D04A0DC7BF85732B20E8FE854,SHA256=4CDC875C9C53D7A8FA12C712A00C8BEF564BE8A78FE1072571CD63F2658B808F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449862Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:52.616{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C74D1E43138C3F33D5112C86840900,SHA256=812DAB112FC397E2BF29BFD7FD27916631AB58E9289F074C970DC71D07E497E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449863Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:53.630{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379E9564DC0DC176B4E142CA58015869,SHA256=E0447FC64E9D243205DA15D47408AED9F610167891D1464D339740BFD7903F90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394907Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:51.231{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53701-false10.0.1.12-8000- 23542300x8000000000000000394906Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:53.013{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBF56C0157119D8DE7528A1CE697A02,SHA256=150AA0407BC88DFAF4BD43F37BD4BAAD74E98C2749BBD2B80258E35AA654E90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449864Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:54.647{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B741A218F19402EB3F4D34501F89036,SHA256=1A2735C2E533955D12037FAF54D3E16B1471B072390DABEE6B4A483796B5B19B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394908Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:54.045{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202FCA0DD32C48353DDDF62517A72D76,SHA256=5C9658A17D856CAA916A11E5342EDDB490748827C9BB9A41A409F16670CA184A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449865Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:55.681{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B97EAAE8D2E02651018B47848EB6C1,SHA256=CB701D05D85D711ABD22E2776C932D2C75FA70DB6D8B1F477B09106F4CEFF9D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394909Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:55.060{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864C6F17EC96B37925108CAB06A767ED,SHA256=59350A0C2452CE188EDDC730386118F7A459A040CA2B1E736F55A227EFB4037A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449867Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:56.695{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2352206572B7FD0584997087DAF768F,SHA256=A9688AD1645D4D70C4AE09EC5DDA0B603DF5F18BFC73F51E4AB9D3AF7A906AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394910Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:56.060{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88FB4A1EF525D69DEAD175A67C6B52B,SHA256=E2831F652A249587DC8EB1D8A79256086353A5932A50B777ACF4FC9B61154C97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449866Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:54.699{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449868Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:57.710{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771976B0A80879E42547069396D5616C,SHA256=7C54A6D408B522AC954943CEC24006348EE70520051F99AF7B801756E3D96314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394911Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:57.060{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54068F1A4BC2F69DD2F3AEB7252B3739,SHA256=51F5963060E731CBCDEA7A27F66D3808888C0E7172D132641A5E33F8B237D6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449869Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:58.742{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38A2609CFFC29BE2F22238F50993F50,SHA256=3546108ABA3716E6A291AF48C9E281FB2B7F185CFED45CD34E9ADC7C54D0507F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394913Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:57.278{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53702-false10.0.1.12-8000- 23542300x8000000000000000394912Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:58.060{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8537EE6C973DF894C93870A2EEAD018,SHA256=AD51E96108ABAEA2C9CCBF568E8038845458F1FF48E0B9CDCB2DD8720C2C2673,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449887Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.908{D694AEB8-04A7-60E3-910A-00000000D301}2584600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449886Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.777{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575F4284EEED5F38FD474517E87A1F50,SHA256=9CAD0BE5D1ABE23A068F82350EBBE2222342F46796C54F74281F0B4BCB61C6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394914Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:09:59.060{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB337B8AD1C2B6B8D2E964627C06DB6,SHA256=6505153B430420651ECE2C190DA12DC620F327F70FA68D691DD6F522294F5A8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449885Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.724{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04A7-60E3-910A-00000000D301}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449884Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.724{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449883Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.724{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449882Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.724{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449881Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.724{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449880Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.724{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-04A7-60E3-910A-00000000D301}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449879Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.724{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04A7-60E3-910A-00000000D301}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449878Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.725{D694AEB8-04A7-60E3-910A-00000000D301}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001449877Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.146{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04A7-60E3-900A-00000000D301}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449876Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.144{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449875Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.144{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449874Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.144{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449873Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.144{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449872Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.143{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-04A7-60E3-900A-00000000D301}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449871Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.143{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04A7-60E3-900A-00000000D301}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449870Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:09:59.142{D694AEB8-04A7-60E3-900A-00000000D301}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449898Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:00.792{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8FA3FD41ADBBCD7597C595F7EAA5B8,SHA256=70B33A0761F55BD2C14ADC61DE60E953A61B3059568B11DAEE10935200A63593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394915Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:00.060{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6F6F332FF459B634D37209A0A1966F,SHA256=4BDD90C073E7B8F3E690A892CF2B2AEEE4E0764FF05E402C2105AE1F26C2B4A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449897Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:00.393{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04A8-60E3-920A-00000000D301}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449896Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:00.393{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449895Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:00.393{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449894Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:00.393{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449893Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:00.393{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449892Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:00.393{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-04A8-60E3-920A-00000000D301}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449891Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:00.393{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04A8-60E3-920A-00000000D301}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449890Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:00.393{D694AEB8-04A8-60E3-920A-00000000D301}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449889Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:00.177{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=136835D82A770E545EB431A87054AB81,SHA256=802B0D6D7076E7CD58A984BA3DA3D09B412675C2226225CA28AC727D01AECE60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449888Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:00.177{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF8C5314D74EEA4AF6EC7300C9E5D069,SHA256=DAB3CBE48181EA927BBCF02659F909F4F4FC953C8B47104D37E724629A0CDF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449900Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:01.822{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D35026FC19C4E0A2C4CB21B36E489D,SHA256=5B68F131DE633AA975401ABFA78C0103090A0CE6537FE6F60A84B729F211D41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394916Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:01.091{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383262E02077FBC081F53FE039A3A209,SHA256=C7C91AC06947063854A63E4F7505BC5301694F8B346C29492915037AEE43C6EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449899Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:01.407{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=136835D82A770E545EB431A87054AB81,SHA256=802B0D6D7076E7CD58A984BA3DA3D09B412675C2226225CA28AC727D01AECE60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449910Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:02.921{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04AA-60E3-930A-00000000D301}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449909Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:02.921{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449908Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:02.921{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449907Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:02.921{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449906Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:02.921{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449905Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:02.921{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-04AA-60E3-930A-00000000D301}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449904Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:02.921{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04AA-60E3-930A-00000000D301}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449903Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:02.922{D694AEB8-04AA-60E3-930A-00000000D301}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001449902Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:00.462{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54308-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449901Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:02.843{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24060071B20CBC5F22D6706BFEDD04B8,SHA256=4E562733C6BD8CF3AA6719E43E00593EFD479394CF01AD6D82729AB67EBF82C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394917Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:02.091{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D973A7C5D036B5C99220F101DEF036C9,SHA256=7C79E613423D075DCDB6968D3319D864B6A4F9AFB403A12C19D58BF48B62AC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449922Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.941{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8F351D02632F69AD999B7165257876C,SHA256=C1FC2AF34237C179292DB5B04CE0C535F48E418F6B9396D67192FF6857A7DBB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449921Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.857{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE20E7D3E71004952DD14B2DF2544B3,SHA256=79DBD6B62E4DD858D91785B5AF10335E992EB832E845F0C6BD7C07C3DA71A036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394918Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:03.091{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7917632EB879B5215126C1E271287CE0,SHA256=F4EBFF213294D3CD5B259BF496911F86A13D565D19D5FB57ADBC3466767A8A5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449920Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.741{D694AEB8-04AB-60E3-940A-00000000D301}46125736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449919Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.589{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04AB-60E3-940A-00000000D301}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449918Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449917Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449916Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449915Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.589{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449914Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.589{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-04AB-60E3-940A-00000000D301}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449913Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.589{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04AB-60E3-940A-00000000D301}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449912Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.589{D694AEB8-04AB-60E3-940A-00000000D301}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001449911Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.074{D694AEB8-04AA-60E3-930A-00000000D301}6276960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449941Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.956{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04AC-60E3-960A-00000000D301}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449940Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.956{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449939Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.956{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449938Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.956{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449937Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.956{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449936Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.956{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-04AC-60E3-960A-00000000D301}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449935Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.956{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04AC-60E3-960A-00000000D301}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449934Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.957{D694AEB8-04AC-60E3-960A-00000000D301}1112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001449933Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.128{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54309-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001449932Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:03.128{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54309-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001449931Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.872{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9FF14A3683CE5C8FCD92177C0A7F65,SHA256=AAA524D3250F5F3BBDDECBDAECBE46D0B8AC0E4A8F52782AB26B01064268AE51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394920Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:03.262{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53703-false10.0.1.12-8000- 23542300x8000000000000000394919Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:04.091{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=957DD686BD5284B3D86AA12FFDA3025A,SHA256=0A3375A41C6EF99EFB0FC71623F41D9B23706A59FF780D9EB9D8F19F72DF11CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449930Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.272{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04AC-60E3-950A-00000000D301}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449929Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.272{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449928Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.272{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449927Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.272{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449926Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.272{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449925Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.272{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-04AC-60E3-950A-00000000D301}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001449924Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.272{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04AC-60E3-950A-00000000D301}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449923Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:04.273{D694AEB8-04AC-60E3-950A-00000000D301}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001449944Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:05.886{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2127349F566E69FC3D608A52CC6BDDEF,SHA256=754DEB61D8C251D9B71BFEB2741451207DF562CDACD482AD80C92E4072BB47D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394921Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:05.107{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0C79ECFD2744C08472B3490623641E,SHA256=907F18BF9EF6CAF8EFABA25FF1853D096C25A61968990CDD6DA382E675C6DAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449943Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:05.303{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CA903AB52EBD7136BA912003A4E240E,SHA256=65A2943793CFBE8014FEE80A25C8A4FDD6433DB4ABC993619A97614CE6F02F1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449942Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:05.119{D694AEB8-04AC-60E3-960A-00000000D301}11126488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000394922Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:06.107{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92EDB1B1E344113843493CCE9F5C7D9E,SHA256=28474A0CD0E7C3DA346C2E740C45A41E5E865F44916083EE58B5D1343694B57F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001449977Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449976Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449975Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449974Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449973Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449972Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449971Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449970Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449969Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449968Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449967Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449966Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449965Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449964Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449963Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449962Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449961Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449960Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449959Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449958Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449957Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449956Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449955Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449954Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449953Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449952Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449951Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449950Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449949Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449948Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449947Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449946Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001449945Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:06.102{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001449978Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:07.017{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60A0DCBED1AE6566017AC5D97CB942B,SHA256=531AD38265F21FFFB21E5ACC764060641FBAC37BCE3C93A50D13A6ADEF1D48F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394923Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:07.107{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE6D19E253868B4F1000852A556364B,SHA256=FB432872EEAF071FC094E2D5AB9F253D35EFD79AF7150037C046C484E6A4BA36,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449980Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:05.710{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54310-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449979Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:08.034{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D68CF765974D3D04437A558B81720AF,SHA256=2589992794F1777F6C6D01267D7C01C03D59151F1F0ECDC869CC48D3B6D6C686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394924Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:08.107{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CFA6878D50547F6A3845E6A49983B6,SHA256=DD208037C3694A5C36D8727168F9521801773E4CFB3E286EDB9A37AA2252CE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394925Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:09.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44C584062EF82A2DFC5C77B7E7B57BC,SHA256=9AF0DA16E96D64ED044A158FF5CA141F8AA76A7914CF2BDF71838D5633EAF088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449981Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:09.054{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A12E969AD3719DE9A3EA7DE9EBCB9A0,SHA256=B1B01E0DBD6E471CB9E701A7DFB77EE0E1EF590C986533E846EE8A358F9A1539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394927Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:10.121{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B02334DD801A9B940FD5132C0A5A85,SHA256=10A37AFB8FC55BE2F0DD0815CFF6DCE12E4BA17DB28D99868E0DBC3BAD7DADF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449982Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:10.068{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1272024EB2F781BEBA9B4B1473EECF8,SHA256=8BC80F895770781414FA65F31E2E59058D7CD01061FB8471A046B4D6A720B75A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394926Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:08.278{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53704-false10.0.1.12-8000- 23542300x8000000000000000394928Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:11.143{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CFE321F51E85A9434A90542B5BD144,SHA256=CB51652AA7B1755C43A75DF36956015B73AF58BBCB8FB03CBDC58A44B6922428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449983Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:11.098{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A2185BED3C1A93F2F065E4A8578131,SHA256=ACE6203135BEBFEBC15E5BFFA81886316B2FC01350CAFA9A5C323D3399C09BFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394929Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:12.174{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F6BC168FE98E801B69C1610A514A42,SHA256=C7C3C3BABEB88C35718020B264553BBFFB88702CD205E668B6B8D409719BD20B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449984Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:12.113{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E258CDAA67AD99BDF6B4C97FC9D560BD,SHA256=02D0BB97036B381A82AFF8A14AE790797B223BA2F46099CCF1A66EF7A1F4B72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394930Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:13.253{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE86E04FCFBAAD18F7FB920BFD054CC,SHA256=62EE94D53D124723A4C9B7FD1F65712032F84440313A87718295133E73785F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449985Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:13.131{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC2713AF7B445B7DAD78A0179EA0F0E,SHA256=07F76C941DF90540FB2273FB9282BF256E46E4DB79138E73DF83557C7FDA9350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394931Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:14.299{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C27070084567C30275C1F0F78B08440,SHA256=DF2508AEB8BADB88237AA10B731AB60BC3E5E7213B92214BE2030FEFE4EE9E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449987Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:14.149{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D728052DF0606DB9FC95342140C5E68,SHA256=74E37EA091387A8A8E4432730154015F4B719C6B3F0AF45B98F21828E598C80B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449986Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:11.506{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000394932Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:15.315{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C755494347423C2C3D0F2D130D21025,SHA256=2134CA53262082C7D7C0B99D4B7717886F63A3E5033C51E4555CE70885459327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449988Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:15.164{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C5775D353D6FF8A55375F6D1545954,SHA256=EA19A482FA73CDDC90EB385AF9D6A996EFCE09D522BC50D2F0F0DE9AECF3AA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394934Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:16.331{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAC2A3282DA5086879762617A4DF3A2,SHA256=09E41CF6D7ECDC9DAA8BC3F4336608EA64DDF274CA1F22AF031E0F65643657B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449989Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:16.179{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DB097AD6CC2B3F7DEE8F6D314FC653,SHA256=EF7DFCE8C0817736E2A12B4A6170A27D96825CA89C13DFCD36504E265C6D84E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394933Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:14.283{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53705-false10.0.1.12-8000- 23542300x8000000000000000394935Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:17.362{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994E6BEA1ACBEBDC5430948D91595AF6,SHA256=7138D9A9322A14ECB2C29C06B5BCB1DA2AF2EFA5FE08E24F0F6E08BF072B995C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449990Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:17.194{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86ACC90993CCC729C5A4EB7E8F60E2AD,SHA256=99C770EFDC301770A6801ABC6B2356DAFD888FC966C35A48369C66BE44EDBA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394936Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:18.596{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C227EA5415405E46E552A1FFA19063,SHA256=48053FDB380F921729CF50E299052268D07C1B59CFA9D12E112367996DE15494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449991Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:18.208{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4112B4BF2AEB640A079549963F2E968C,SHA256=37F02F98911A221A10CEBD97E00434E7D6C1291D891CCC81C26E599456BA4BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394937Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:19.596{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE104B5F6BC3BA7D7F23FC28DFAD38AF,SHA256=C64DD4B9EE1DC1E51A2751F4492CB0D24BFC4BCB2E472D54E8CBD3DB74E8E3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449992Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:19.226{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B41C3B60C3DC94F9109A90F4651C78E,SHA256=9A794653DE0DC19306055BF60426A4313B3E8B9AE82ED6A40BA0553FB6F48624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394938Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:20.596{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5872AC8FC4A14445C72B714D2AEE75C,SHA256=DF5A7B866A07E8191F99A548BB0EA54CE924FF836304FFA0FB5FCF8D750598F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449994Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:20.244{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14CF4BAC24A5EF7A9A84C78A4A4EAC0,SHA256=6BB21FDF58F8FC48959C95C0C671B82D3DE61EA1A385C2C221B6ABA9683DA24E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449993Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:17.516{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54312-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000394940Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:21.659{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E0C8346AB298BC62C38C4C9575ABE8,SHA256=9F52EA669FBEDBA6E7AC97AF8681F2908F68326BB93BDA7972BA24F79A2A22BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449995Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:21.259{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2451DF8DB541F2FC73794933D779A4E4,SHA256=1B5C1481F7E9277AB2E8CE8110FE1A02D74A2CA6594AEAA7AD59AB1F98412320,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394939Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:20.314{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53706-false10.0.1.12-8000- 23542300x8000000000000000394941Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:22.706{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE4C6566AF0FDF23EEA7C2B29AD13B6,SHA256=FF8DB53D316BCD61D9971531297534EC9A4D9942F60E6F7C5CDEE531D34F07D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449996Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:22.289{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B767989D07915222C3C9C81CEAD3DE07,SHA256=1F442F41109FAE8C2CFAAA0BE4704C8B16BDAD8EB03EF57014B4AC154B316582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394942Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:23.862{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDDFF21BA92370969804F7C91CE4E72,SHA256=7A68B175D47A08E30C9177D2E0A0DA13915F8F5E7B7B041BC328AD22960799D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001449997Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:23.303{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8AADC27CDC4F55802657A4BFB473D4,SHA256=4D6E6137E5011921660D23F669AFD243AE40DF7FD9B0DC064C706510FBF66EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394943Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:24.878{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A02D3D1CA01D9B75F1BDE7A16E6B652,SHA256=0CE951EFF56BA55400DF4ED7E3F76AE2B0CFA27F4D63B6CC3D77C63F5723A9D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001449999Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:22.527{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001449998Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:24.324{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C54410693E1075678FB113F7A62060,SHA256=98A9A94DE9E0697398C1C21ECEB6521DEDE71FC7E857D2917633DC2EEB2BA224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394945Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:25.878{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6088B097CDE34BC41C9B8E2F610AD6CD,SHA256=B1F431A3D8A35CA1BFEA25F35BD4E3D03504B1A5C877E7ADB08DF7897F96F2B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450000Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:25.354{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306296E6A94A49AAD93231E4933653EA,SHA256=E688901D9C46329EF764D6371B4D6543202A98D8570F4AA673E15DDDB8D40014,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000394944Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:10:25.799{7F1C7D0B-B3E4-60E2-1500-00000000D401}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7719f-0x1e9c0a17) 23542300x8000000000000000394948Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:26.926{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A158EC73F3FB02342259DD547C2D95,SHA256=29551F731C2A16B1A3C7A72BC1D79CA2A20CEE674A6B5C9A8A4051747D8A9655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450001Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:26.369{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26699E18A478E110DC5F641400A42405,SHA256=9E09A3C02099FEADDC6A5EACFE0DE520DF54BB007E85DE809ABB57982D8E3482,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394947Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:25.346{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53707-false10.0.1.12-8000- 23542300x8000000000000000394946Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:26.237{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9B4E05082117DCE1507246BE11CDE84B,SHA256=21DDFF4BE1C3EFFE76792391C92EFD632F440EF58D37D2889838671757A59446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450002Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:27.384{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4688A7B3676C283F1484E38C883D584E,SHA256=AA91BEDC32184300CB5F01B222E8847D6FFD4FB70386207169D13274C0DB75B2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000394959Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:10:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000394958Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:10:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x013bf948) 13241300x8000000000000000394957Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:10:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77196-0xbddfde7d) 13241300x8000000000000000394956Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:10:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719f-0x1fa4467d) 13241300x8000000000000000394955Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:10:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a7-0x8168ae7d) 13241300x8000000000000000394954Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:10:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000394953Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:10:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x013bf948) 13241300x8000000000000000394952Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:10:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77196-0xbddfde7d) 13241300x8000000000000000394951Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:10:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719f-0x1fa4467d) 13241300x8000000000000000394950Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:10:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a7-0x8168ae7d) 354300x8000000000000000394949Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:25.970{7F1C7D0B-B3E4-60E2-1500-00000000D401}1036C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x80000000000000001450003Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:28.416{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC00F1E68175D5474F68B13E84BCA2E,SHA256=115AEE2C1075D0AB84B227F0F241AF6001C84866930699EA2A17811B13BE0B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394960Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:28.020{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D82FB49F269E4FA39D2643809A804B,SHA256=F2C0177ED320E4299597B12E615BCBFED1466981293B08689F351BAE7DA19F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450004Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:29.435{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A40F27535C934820889454326F0D8E,SHA256=6C90D9C54BD22BF2BA0BAC548D0AB5D5550D748CD20BBCB1DBA157FEC2141D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394961Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:29.207{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68696E833C8C97991E9CD4D839D07F6D,SHA256=BCFB929E9F241BC1FCD0527F6BD5D82F482342D8B3CA8E601CB4E05F8459AACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394963Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:30.801{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394962Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:30.254{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B690F7D6A05E349CB7B94D218B60B44,SHA256=F651DD66DACADC62F6DB45520392642C637E30C03D1D9479957ABB27D60E14E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450007Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:28.568{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450006Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:30.449{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E991DEE61975F1210B71A46999D0AAC,SHA256=33BB9A562F09F824ED2B230359A8335BC255569B0DECEFACC5E867AD76BA7D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450005Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:30.081{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394965Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:30.378{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53708-false10.0.1.12-8000- 23542300x8000000000000000394964Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:31.285{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E3B6DC88C0833A328479C6687AD28B,SHA256=360F6CDA1997D61FFB02029B336B8F23CB485EDD5E3590D6149E1664DDF86E50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450009Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:29.520{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001450008Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:31.464{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69AF11D26AED4A34C3DEFF42D4510307,SHA256=E916B72C4F3FCC595516E69537C8B59804F53F9227AEF2F9C0535DF30553D1E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450010Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:32.479{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D22FFC58033B08C7FD8226DB3483B9,SHA256=ED6DC4A705F5C4DBE24CF4CA23ACF743B2B69F2B603C717D1BF203582AEEC602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394966Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:32.332{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88481890A571877464900912D9614D9,SHA256=815C45E9769DC1077C0E29EFC4542BC163C151145D34B623696F8301CEB396C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450012Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:33.793{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4EBC00CF8E444CEFB747AC2C7F8FBF1D,SHA256=125A5640A63C311E14E8C1E02CC5732E0595798302DFB28D0B8E4136E5D00CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450011Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:33.509{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B892CA959C04E2B0A45776635651FBC,SHA256=BDC2D9C6639C233FAA39DA80A7B9813505AAB75E3333C0E80EE40AE6959D198C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000394968Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:30.972{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53709-false10.0.1.12-8089- 23542300x8000000000000000394967Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:33.348{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62579D2A576F0E9123C6252637E3E1C,SHA256=F90AD3B11138A0CB9C1C83F69D42AAD9ADE30F55C923F86DA6F03229E8330CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394982Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.535{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-04CA-60E3-060A-00000000D401}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394981Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.535{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394980Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.535{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394979Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.535{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394978Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.535{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394977Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.535{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394976Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.535{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394975Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.535{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394974Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.535{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394973Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.535{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394972Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.535{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-04CA-60E3-060A-00000000D401}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394971Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.535{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-04CA-60E3-060A-00000000D401}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394970Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.536{7F1C7D0B-04CA-60E3-060A-00000000D401}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000394969Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:34.348{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7C2D17A13576A089F60513053079E6,SHA256=71C68ACD80E571EDB85DA54E109930CA874F6FD6B1C358ED17A85C3BE48C9AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450013Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:34.543{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7022951D8CE3E4310FC96F4DC71CF370,SHA256=9C291C65016D1C9DD5D80FDEBBA4677792E3E57B04AABCA64F35A64EE162BE46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395013Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-04CB-60E3-080A-00000000D401}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395012Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395011Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395010Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395009Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395008Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395007Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395006Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395005Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395004Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395003Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-04CB-60E3-080A-00000000D401}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395002Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-04CB-60E3-080A-00000000D401}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395001Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.679{7F1C7D0B-04CB-60E3-080A-00000000D401}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395000Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1328020307F7F553635CA42FD8660D1F,SHA256=E9577AF33539E636342D1CE2865D4A455FBF35AE218B977CCC01F020C2D64B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394999Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500DEDF8B58B9C5946BE015FCDF7B0BE,SHA256=830D5F46E2A6F7186E484F8AFF6D6A95314770E698E23D4891DB862EA50C2928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394998Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.676{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D207D22A0D291A2AF2A2A12E3E5C3757,SHA256=2460EA8D411DDE653482C62B75D85982A196C1E2AFF7EE70999E4D13475FC0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000394997Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E23BC914A27C3D2C004EE1919ACEE12,SHA256=42E99F2EF16C461FEF6C4D55A9848FFAD6FE3014CA54ABD2B343D9E3B52B3912,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450015Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:33.617{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450014Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:35.561{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8729592603A6C48C2015C25E27D7DBED,SHA256=6113B7FD9D1EF6DF8A0C2A34B8BB162CFE4223904FBAE7B2B9ACFE9714424C47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000394996Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.254{7F1C7D0B-04CB-60E3-070A-00000000D401}3024656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394995Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.051{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-04CB-60E3-070A-00000000D401}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394994Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.051{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394993Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.051{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394992Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.051{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394991Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.051{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394990Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.051{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394989Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.051{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394988Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.051{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394987Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.051{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394986Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.051{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394985Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.051{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-04CB-60E3-070A-00000000D401}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000394984Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.051{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-04CB-60E3-070A-00000000D401}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000394983Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:35.052{7F1C7D0B-04CB-60E3-070A-00000000D401}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450016Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:36.575{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F223E15CFD45EB4A70F99AA9AB2321,SHA256=4C441EA128A10A52E3FE9C025D364B5BD830FEDD0D54645FD26F491D22209D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395015Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:36.894{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1328020307F7F553635CA42FD8660D1F,SHA256=E9577AF33539E636342D1CE2865D4A455FBF35AE218B977CCC01F020C2D64B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395014Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:36.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDB6364C5A32C2DB6D711F14993F8BD,SHA256=6D203D2113676C1258F5B13A3CC0AF14DBE8242281EBB448BA448E320F143340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450017Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:37.591{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6411B282C3FC016D4B330DD29145D7C,SHA256=3498FFE3481EB42E8EA95CEA2A166606647A486966A7E1C467C461DBBFEFF8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395016Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:37.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3914F8747D076E02BE083D92D27781EE,SHA256=6C7817EEDA0E8A0C112AF5438684B9125727A62680808B80A0A49C3C7258A915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450018Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:38.605{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C160A763FFF1FB3BDAF0862008206C,SHA256=F4A713866B382F177F19427E36D81966841596D882D2A6361C1523FFECE9D64A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395018Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:36.394{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53710-false10.0.1.12-8000- 23542300x8000000000000000395017Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:38.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2DACBB29034EA17EF22F052E293E09,SHA256=8E5014258473A56915361D528ABB7D0DE728DC39FCE4E941DE2ADEB51725373B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450019Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:39.619{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A852EBCF5295723A2D9F20AB64EF3F3,SHA256=6728603C070A304A4B1DAB64E1881D8774DB175D9E1597C05EB3DB3E0577798B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.785{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-04CF-60E3-0A0A-00000000D401}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.785{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-04CF-60E3-0A0A-00000000D401}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.785{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-04CF-60E3-0A0A-00000000D401}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.786{7F1C7D0B-04CF-60E3-0A0A-00000000D401}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000395033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.504{7F1C7D0B-04CF-60E3-090A-00000000D401}8284080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C84BC26EDC2D0C34277E3C2C6F59AD,SHA256=233FACFE3494F0ED6F97649F4DCF6A5FB6A9FEC66454F710919CE66DA5427539,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.285{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-04CF-60E3-090A-00000000D401}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.285{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.285{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.285{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.285{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.285{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.285{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.285{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395023Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.285{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395022Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.285{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395021Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.285{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-04CF-60E3-090A-00000000D401}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395020Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.285{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-04CF-60E3-090A-00000000D401}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395019Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:39.286{7F1C7D0B-04CF-60E3-090A-00000000D401}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001450021Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:38.675{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450020Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:40.636{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06B81518DD9A08AD9D771D55A2F0851,SHA256=2D28ACF1C079352D881C36752E7E5CC5E97A65C2FB398A018F5430CCCC63519C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.801{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-04D0-60E3-0C0A-00000000D401}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395072Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395071Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395070Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395069Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395068Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395067Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395066Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.801{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-04D0-60E3-0C0A-00000000D401}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395065Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.801{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-04D0-60E3-0C0A-00000000D401}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395064Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.802{7F1C7D0B-04D0-60E3-0C0A-00000000D401}3036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000395063Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.519{7F1C7D0B-04D0-60E3-0B0A-00000000D401}32442924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.441{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5192C40451E93906E1075BE475EB7F1,SHA256=5EDC8DD0050C85E6968436882BD31B347B3C16BEA30662EB71F719E2DCA4C5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D7CB77C6A0CA31FC8296F809D3ADCEA,SHA256=0F9D54612AF406F8BDA45F15BCE5EE903599AF59DDB767C0749FDC01ECBE9757,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.301{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-04D0-60E3-0B0A-00000000D401}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.301{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.301{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.301{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.301{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.301{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.301{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.301{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.301{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.301{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.301{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-04D0-60E3-0B0A-00000000D401}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.301{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-04D0-60E3-0B0A-00000000D401}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.302{7F1C7D0B-04D0-60E3-0B0A-00000000D401}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000395047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:40.082{7F1C7D0B-04CF-60E3-0A0A-00000000D401}2920896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450022Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:41.655{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8172D57096F1FFC84899F6B1EEE32CC5,SHA256=B19097FA141F95C6E041CB2735E4F541A6678BEDCCC988699D449618017FE23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:41.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F97F1B9E1D4EF92D75353C8D604FD35,SHA256=C02521425DBC2CAD352F8B0A58933D310B2C22181CADDD0163D1F2A961A1A1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:41.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F336022B7910637AB7FCAAD456270086,SHA256=16CD29604FD6080F311AE2208407BF55F605012D6016DF78A335959C5B4CD6E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450023Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:42.670{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CBC4DA23F64626ADA403353806BCDF,SHA256=A6DDBAB013BB1B98A6D90918AE179DB169D7E15CED6ED3AC31E47D029AACD587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:42.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D28AF9278958045D475D90CA38FA84,SHA256=74B40C52845A630BED547BF92E45FD312896C5D9B3EE80095D1463C379879FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:43.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AC2C1DED699546D2F3E26781AD06CA,SHA256=E74B1DA8B85AA6D07004201FFED0E587E23BAA48950F64424F611A708B82CE73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450024Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:43.684{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6B1E877D3B39F40C93E79E7C640BDF,SHA256=3ADE6ED1E208FE6B6F5FC376703BD60D8D5836171C9C4D9000490F2B62285874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450025Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:44.700{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2920F7B04C3DA708FF4F3CAC308E4E8E,SHA256=5B8872E31CCA2640FAF34B11C7CB9E9033856562FF5F9DBE381D46DC8030A523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:44.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E755E3690F22D3B869915EFBECDD0C9F,SHA256=ADD2059C03AB1658ED1E884DD6C10EDEBB357C9901762A551108AAB2AA28C694,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:42.378{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53711-false10.0.1.12-8000- 354300x80000000000000001450027Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:43.686{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54318-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450026Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:45.715{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A257F25A894F99AAD3B14F10C1EE6E5F,SHA256=1CF7530C690C0186FBAAD5DC5EDCEA1BE40E8253820825DE3CB0D7769685EE96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:45.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2411B60BAACD39091D50F82929D1BD,SHA256=0AE47EB0B7C2D1F161DA01BC630349CB1345327B9C70F0EB22C8722CC257987E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450028Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:46.733{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8AD124E4D7FE50C0641CF5B6D68C8B,SHA256=8A09194CE8111F8924937D6C2EF187364B61FECAF494BA36D2681D1322AB241B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:46.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0291C418F547B89587B93AF142B7C172,SHA256=5B97D7338616523E400306DC4B7AF219C830C9330D303EFC9FA826A78C0AF690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450029Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:47.751{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB37E02E44DCED1F62EDFCD4BAFAFCD2,SHA256=B8A278C17E0FA7956D52F569371868496380C9A5452DC0900B4E01F09E0733AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:47.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CD549C9B9AF85DEA956AC8FE6C385D,SHA256=FA0D8B8822AA7EC19DC04F6508F2477151B6F0723C6074533BD87BE2429AF8DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450030Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:48.765{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF16305EF9F326DA0CE97FB9FF675D4B,SHA256=86D14C2008614010BE0354E201141FF4C4E93C987DD4AF968974EC37079F703F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:48.488{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF07EF5952082E48A962998614CD42FD,SHA256=37E5457D989708871874BA75FBEC4A04D68C93263F914DAC6960525E6EC8FC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:48.488{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=131E5FFBAADD69FDFBD50A71150BE0B5,SHA256=ED8D3FAFC5017DD79CFA7FA51B0F29804C67B9DA4B5BD461D32DBD86AB9DBF52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:48.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98B894B0DA8BB6449C9D2821FCF726A,SHA256=35FC2F7663E88D1354FA0294901C73292CC934EAE7A0BE193F0E4F432BA5D91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450031Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:49.780{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88422E8EC02F39393E7B8FB87B3E9F21,SHA256=EB13DAFFAD87F464F3040FFFD5DB2CA8C4D975E60D3D12D1D0B5AC99BFD17FB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:47.385{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-55306-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000395089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:49.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD854F2BD37172E40D85384D887098F,SHA256=B6E2993B12318E596935B9842A6BF1BF30237DFA626310BDFDF717E1A93EC1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450032Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:50.795{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6305B40EF04B88063E3D7B92644F6131,SHA256=34CBF86D52DB5F512C434976F18E662F5CAAFEDBBA1A1876DEDA9B382AC37AB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:48.363{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53712-false10.0.1.12-8000- 23542300x8000000000000000395091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:50.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B291A29322FBE76796DAD258DF5A5113,SHA256=51F26E2E3580D587F887B49F4D2602E6419D0C5244BFB70CD221CA253E7C2BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450033Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:51.809{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515E66863B7BFBC34D3D4D8F9A6CA8D9,SHA256=543B3E1B49D230C5A0A63DCE88CDD6CC6523DE3A67E5F25931EED322E292B973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:51.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B57E253FFAC8A4C30C31CA13F010D21,SHA256=AF0EB26AB5C86CF9FE4E520C32A0049FAE85308B3E5B6C847655CB6B984838A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450035Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:52.827{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A702B9A43ADC94C1CF13494A13BB2701,SHA256=3971E01E93C7B5582B2E5029A84E54DCF35F163EEC85B8C6D3A231F0644419E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:52.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D89F5B167BCF94984DF488236224E59,SHA256=78F5165BCB54D042496466CD83511F632899D45F2CE713786CC036B63618B5E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450034Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:49.466{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54319-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450036Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:53.845{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F273822799F8E7A10459281E3264EB24,SHA256=C82D6CA8087C7A2A8C539C93648FEAAB79F3C0C263CA5EF099DC64084ABC64E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:53.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F8B5DF14344CD577BC78E2B31057D8,SHA256=5B34DC136CCCDAB3BDF82E946898B716931B7AB67CED64D8375307DCA1AE87ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450037Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:54.859{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3532967B0023BB18EA2E93EFE101E8C,SHA256=9FEEFFFC5C414B6790AF4CA1A9993B1B340FA9880478F7DB1B4B39FDE2B4E93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:54.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E449B7A3255456D1C2FF2F211570DD5,SHA256=FE35F37A0EBF931AAD969AE0B59CC4AA8D32C39C52AE82ABAE87C106683BD1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450038Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:55.874{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8970D7A97C824251E7DA6F221F3BB3FD,SHA256=D3775049B0F6B574357DA0E6A9D23B2932A7C371F07596641F944FCF01E5E481,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:54.394{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53713-false10.0.1.12-8000- 23542300x8000000000000000395097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:55.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8694171F478013CB0AB9B9270D9976AA,SHA256=3E28EEE5D3A9090D740FD4A6DB0502A589B8239779B4FF60DE708C1B3C26B015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450039Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:56.922{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE4B7AD54DD2AC98C3EEEFCF0C1160A,SHA256=E3308E8EC5403BD0FA67F2AE5D05D24DB3BD1BB359DA117C89EA6D15D9F53BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:56.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E510A9333F728C15AC0DC48335F74D0,SHA256=143D41E01A64E91D77870A12449BC6EA5DFCF180FB4CE8C94AB2EFE21669143E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450041Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:57.940{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B8E341DDB4044B3EA69B3FFA661940,SHA256=91E10F0D7EA22BCE1EC2BE978EB258DA9705A446C01EA852717362D108336786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:57.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42B390904AB2AB8A7D22ADD992DD275,SHA256=1D4D2FDE560D299372AEC51E688D527EB41C47FD401161EB2EF4782350785FD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450040Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:54.546{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54320-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450042Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:58.955{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21AAA1DF09D20B17E918BEC51DD9DB3,SHA256=8ED33AB17F897253D409740DD60E61A1EADC23B5BB948E0687AA4CD42F5F5C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:58.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E639BB764B24231FF48848D22E493DA,SHA256=19B3CF12A0D64BA2263160D037C0A220F623FFA6781EC3BF696797CC7FC58713,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450060Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.986{D694AEB8-04E3-60E3-980A-00000000D301}47481956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450059Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.970{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79DFA656F7CD2912498FE3F9A7B62AC,SHA256=80F5663F9C1B11E0499C92D0B47A3AA223D598E1101C36B212621311C2456312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:59.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332C1F9E4D760BDA0A012550E0C08123,SHA256=CB812A195A3B10A8FA3E318CF761D86FCA3FD8EB6D54B4A346EA089F180FE95C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450058Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.739{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04E3-60E3-980A-00000000D301}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450057Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.739{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450056Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.739{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450055Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.739{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450054Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.739{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450053Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.739{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-04E3-60E3-980A-00000000D301}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450052Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.739{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04E3-60E3-980A-00000000D301}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450051Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.740{D694AEB8-04E3-60E3-980A-00000000D301}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001450050Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.140{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04E3-60E3-970A-00000000D301}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450049Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.140{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450048Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.140{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450047Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.140{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450046Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.140{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450045Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.140{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-04E3-60E3-970A-00000000D301}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450044Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.140{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04E3-60E3-970A-00000000D301}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450043Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:10:59.141{D694AEB8-04E3-60E3-970A-00000000D301}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450071Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:00.985{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6517CC91107A75074F981F49CE46177F,SHA256=46BD9C04BDB0DC326909833945BC3644D4170D0161C96E76B5CBDF3F6EB2710D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:00.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F597B496695B5EA1D95039DB5C70C1BA,SHA256=E6F11659372A6048EB50A52BF6E1717CBE3EECC8A0ACDB97ED1E5DF145002EDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450070Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:00.421{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04E4-60E3-990A-00000000D301}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450069Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:00.420{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450068Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:00.420{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450067Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:00.419{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450066Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:00.419{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450065Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:00.419{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-04E4-60E3-990A-00000000D301}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450064Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:00.419{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04E4-60E3-990A-00000000D301}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450063Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:00.417{D694AEB8-04E4-60E3-990A-00000000D301}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450062Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:00.154{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C9888B8AABE38EB60EB4313069E328D,SHA256=21C0C8644EECEA3ADE5438AB23A0CB571D382BF1B18BAEDD7DBDF5D90EBE87A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450061Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:00.154{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EDFB7716FD1F4A4397F973DA4B01B9A,SHA256=0B17309C1E0DEE7E25A93A5C4213A4C5ED5B8435A193A68E444594EBDCFC661F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395105Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:01.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA99087F1DED242B46ADF212416E53A3,SHA256=3587D411B9DA3740BF3191CB8E2DF56B4E561B260A095F1BF8A1163571EB2BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450072Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:01.468{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C9888B8AABE38EB60EB4313069E328D,SHA256=21C0C8644EECEA3ADE5438AB23A0CB571D382BF1B18BAEDD7DBDF5D90EBE87A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:10:59.442{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53714-false10.0.1.12-8000- 23542300x8000000000000000395106Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:02.380{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8037A819DBD4F5B59E42EC5504379047,SHA256=743B57A4A59C94C62B4E5140890922EFFBC5DAE0DDE1D7412D74F951A437A8B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450081Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:02.918{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04E6-60E3-9A0A-00000000D301}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450080Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:02.917{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450079Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:02.916{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450078Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:02.916{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450077Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:02.916{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450076Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:02.916{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-04E6-60E3-9A0A-00000000D301}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450075Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:02.916{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04E6-60E3-9A0A-00000000D301}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450074Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:02.915{D694AEB8-04E6-60E3-9A0A-00000000D301}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450073Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:01.999{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F062D1EFF93BEE64072EBD35CF425C,SHA256=11139F60B403479AB0469BAB8F3D59AFF853B0EC472E0F1F35DFF70913814E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395107Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:03.394{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E58378884CFB19A2C4C368FD1D0CB3,SHA256=B90A4E654F6539909B8373E3EFC6790D1755349D324DEAC35DC52F8AE29BBA39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450094Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.934{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BEDBDBC0600140E23952502BA43C97C,SHA256=D5B2AF4D56CB1F5085DE4BAD63C1F04854F564258E3A754004CEC2C05F9EBDBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450093Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.750{D694AEB8-04E7-60E3-9B0A-00000000D301}57282192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450092Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.597{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04E7-60E3-9B0A-00000000D301}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450091Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.597{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450090Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.597{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450089Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.597{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450088Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.597{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450087Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.597{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-04E7-60E3-9B0A-00000000D301}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450086Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.597{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04E7-60E3-9B0A-00000000D301}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450085Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.598{D694AEB8-04E7-60E3-9B0A-00000000D301}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001450084Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:00.539{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54321-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001450083Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.067{D694AEB8-04E6-60E3-9A0A-00000000D301}55124092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450082Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.018{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3875728A437AB720B9803D18E23D02D,SHA256=A7E0A71DA93D9EAFE3F758826394A273EC592796E453C126C6347F950D12702C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395108Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:04.396{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60FBA119F3DF670A56FE941D2A1977D,SHA256=1FF808A1502AB96105D3A375E081CC097A63FFBA1B010C96D823D0CE7B931DC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450111Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.949{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04E8-60E3-9D0A-00000000D301}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450110Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.949{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450109Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.949{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450108Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.949{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450107Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.949{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450106Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.949{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-04E8-60E3-9D0A-00000000D301}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450105Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.949{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04E8-60E3-9D0A-00000000D301}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450104Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.950{D694AEB8-04E8-60E3-9D0A-00000000D301}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001450103Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.281{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-04E8-60E3-9C0A-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450102Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.281{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450101Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.281{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450100Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.281{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450099Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.281{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450098Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.281{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-04E8-60E3-9C0A-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450097Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.281{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-04E8-60E3-9C0A-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450096Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.282{D694AEB8-04E8-60E3-9C0A-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450095Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:04.034{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0650ADEC317EDF7C8C00B148E2EF77A,SHA256=9A6A6A19F747B024EF3659F08355D0D5D782495B4319B9716E6E87D8302C4B79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450116Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.137{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54322-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001450115Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:03.137{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54322-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001450114Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:05.296{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E28865FD4B30F8782835384C5A4E671E,SHA256=3244C9058538523E4BA8F4FC3DDA6C1976F655E6AC41F3AB2DF3856A63647A22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450113Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:05.118{D694AEB8-04E8-60E3-9D0A-00000000D301}70205852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450112Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:05.065{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB0C8921D73FA0105316F67AE2B8A43,SHA256=689A4BC2893FFDB5A6BD112D5824D286D67B64216CE228CB110A537F84740364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395109Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:05.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1871D9DA4D7F275A3B0969803D95DFFB,SHA256=F7C9439382EDDB107070E910B0B7DDEDEA1D33ADC36A3047FBF0090FC3EEA5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395110Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:06.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B960C66B8F65E4AF9D0C3B8CD51626D6,SHA256=A3E576BFAB682029D3FAD266332554CFC997E7B4A24824C6B64F73F7338609BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450117Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:06.114{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342EDDA275253960E0696E89FB8692BE,SHA256=783730BA2E87F578518C607B63A049FA849EE3980CDFA11EB058199203E6065C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395112Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:07.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CA7CFDABE033B78F6A8E711913254E,SHA256=5920358ED6F0632152A3828B6B8B6D179D78C0F66DD52BAC5D8A37A9886EDE59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450118Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:07.132{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD155D22E5469AA990526365E46DEF97,SHA256=2DD795CAADEC6B6A2E08408024B7BA4B82FCB2AFD1619A4AB30F6C3D516246C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395111Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:05.207{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53715-false10.0.1.12-8000- 23542300x8000000000000000395113Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:08.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691DDCE824DF807805A5EB14472B61C1,SHA256=7F490EEEDDE74F661C0CEA38BEA6DEE5600B4151E11FEDD15D7686815FE83DE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450120Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:06.534{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54323-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450119Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:08.178{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B6687FC28C9F9702F0D248CF8FA705,SHA256=EEB671CAA76C64FA2391CDBE7DE47E8641308B6E84360968B18CF875502FCA8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450121Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:09.192{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A342277ADD54FF42A01C1199280AC4C,SHA256=C9D275F49A0808DD3DFE605966743FBE85A0B2D02C8852C184968B050D6F2FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395114Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:09.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F516AC5F3EFA08AFD9FA7FCCD99EC025,SHA256=A1DC3F0BDF28C0FCDA7D5195E1C4D431ECC641F48B2EBD2140262F981CE6B613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450122Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:10.208{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CFA73F78FCC10FB1593CF210ABFDD77,SHA256=DEFDA5F064189CF38BB19C6D3880BE6408EBB55BD5EA9FA52DFC2E43AD7D3CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:10.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AAA99FD1D9480A5DE4973DB8370DB6,SHA256=AD2BD0534275B3A3101106533A449D271AC8DAFDAC80FFA9C5443D3F87312AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:11.432{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9362A683A522A43CC073B65C9E186E5,SHA256=F206C46C8294FE9D05C67A12A2F40C84794BE38698591CB3C934144848E2E20A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450123Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:11.229{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FE14063EAD21AF8244CB890473AAE8,SHA256=CD84A00398FE8138AE5183A30E08B1F72E560A245A0BA6DE86083BA0CCAD2581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:12.449{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B9B4DB692728142AFD95C717C94CAC,SHA256=16851971AA0D59CA2183D61BB2F529FE9E2B87AF846B6E33A5CA7D755A0098A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450124Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:12.244{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC32EE963A7202273416103CE03C5A1F,SHA256=1DB05C9439FE4E4F15FE58E70827FA4219C6B0656AD6907790D5A6DDD9ABEF4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:10.222{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53716-false10.0.1.12-8000- 23542300x8000000000000000395119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:13.621{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179565BFEC270D96A86D17B4486B1155,SHA256=0CEBFA6C0313DB10D47F5811184D3CF904EA41F5C0CF9463C42F48AB7B499322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450125Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:13.259{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940CF828884C511A6C88DE8E21F7984B,SHA256=E4245CBCF52DBA57FB8CE902C74EA25D212A010DB64BEAB8E822ABBC4AA5325D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:14.668{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E8DC55928C1400A05162EA1E2D43A6,SHA256=C70580BD6361C7AE643A9606B541C3DBABDD2CFADCD4A22DB677335C686EC8BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450127Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:12.514{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450126Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:14.259{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8CDCCCAF8C7CB73CC84785092AD861,SHA256=40A3554328D34FC7B398216CA7D89DCF85265AB0B3D0E4517DE40A17E70FDE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:15.839{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655451616F2648B063C7DA12ED24612C,SHA256=FC2A7EB6097A4BB7869AA66A18C78EDBAD9AAC483465F9794F3247E36B59D461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450128Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:15.289{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67ACBE5142B80615DE4BE0E84D588049,SHA256=3ECEDCCF0342B3D994BDA5A888C8E019AF22EBC64D6A5BC916289DFC97D30959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:16.839{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9602E80D2AF88D293998F429BC6C44,SHA256=1363577FE715B34F75BAED08820BB5242CFA8F4FB06B86C209F73CDBE32D8A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450129Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:16.306{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C9F3B502AABEC6F62850E5B665549A,SHA256=C688AAAD6BB33EC0E43CA99AE64C6922D2DEF162FC497E0DFA8188213135338C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:15.246{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53717-false10.0.1.12-8000- 23542300x8000000000000000395124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:17.871{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEA5EB7E46827DD1878ED909D260803,SHA256=BD0CC960832645361D22EFB33616A33748A6DCE7B66053B07FFF89FB92227A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450130Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:17.309{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB39E8B1F24E5FEBD267B8C55428CF5,SHA256=F9D68DEFA54B8A4ABCE18746A0C0E20134992CAAE7FB8A0EFA31C8A64A75E923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:18.949{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E02FFA7802D2E6AF0F2C6D5BA21F92C,SHA256=A8EC8DA3C2798BECE7D189E0B2A9C07721148A600A062416776430BA0A907982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450131Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:18.324{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8F20171D289C7AD6FC7C4C5C645731,SHA256=EBE5C54B4EE306660BA957EC579A48FFB13C7DD209A2D0B6512CA90A295DCCA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:19.949{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B07779249DD20EFDAE986B5CD11FF6,SHA256=2CB6058199E05295C6948AFC33D9A65236074501604C5056120D0BDBC4C0EF00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450133Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:17.579{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450132Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:19.338{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C83444D6F61CF052D8BDAD3A7E859C8,SHA256=C2DCEF66B044F2805D6C54FD820D777BA37003A6ABAF2DA1078C2245D94D6697,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450140Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:20.983{D694AEB8-B3E8-60E2-0B00-00000000D301}6565444C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001450139Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:18.296{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54326-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001450138Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:18.296{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54326-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 23542300x80000000000000001450137Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:20.353{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E05827191008213E4F2B5E78CAC4264,SHA256=E5E3ED1BF261DA8874DCAA6E46BF0B1EC7273D0CCB09A20D0340A8263F9D07C8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001450136Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:11:20.206{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001450135Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:11:20.184{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001450134Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:11:20.184{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 354300x8000000000000000395128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:20.418{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53718-false10.0.1.12-8000- 23542300x8000000000000000395127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:21.027{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467D32E989ED139C0BB94F54A908BB61,SHA256=CC94F74737735D9E87E580F3E606A735222AA344A12F8F4C4CCB75059FF5CEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450149Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:21.383{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB62EC391E7E4AAF304C1B1B2F0217D,SHA256=8C6B0F650245A39DE60E43B84A59FB81C78D35D5DA1504DE2C5E793E1876A6FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450148Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:19.669{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54329-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001450147Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:19.669{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54329-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001450146Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:19.662{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54328-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001450145Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:19.662{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54328-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001450144Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:19.640{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54327-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001450143Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:19.640{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54327-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001450142Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:21.221{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=589FEA28F8CA75F20F63D719610CF028,SHA256=302403508A15B6640E3F40277F942B02ABEFCF11C00DBD5B8BF489AA81A93CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450141Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:21.221{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=441D633CF11FDCF7ECCC22E92998D095,SHA256=71B8B728BED92FFCA28978F8CC4450E9A30D6152ACB68A0E36BED5D8FD189F1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:21.421{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-38036-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000395131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:22.464{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBC679991DDD1569D60409FCBBE387B8,SHA256=4505467012C81BE825BE9D09D183084050852699E8469FD34479DAB472CFA730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:22.464{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF07EF5952082E48A962998614CD42FD,SHA256=37E5457D989708871874BA75FBEC4A04D68C93263F914DAC6960525E6EC8FC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:22.027{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE18E51725555F3657BC5D117042AE40,SHA256=D80F00A88D8C99C27C579795CBD6115DDC64849339AC47804FA29F6676FA5382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450154Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:22.401{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32C6EE7C480FAEB09FC772FCC876AFB,SHA256=C3265524506CBC42F3F217CFAD8F407C13959264328CEBF309555A828A40FC59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450153Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:20.333{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local54331-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001450152Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:20.333{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54331-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001450151Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:20.326{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54330-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001450150Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:20.325{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54330-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 23542300x80000000000000001450155Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:23.420{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF31ECA8FC921294D9F5A0608379A4A,SHA256=10D81173CB2468ED133308762A3C4C81EE243175C78211818EC8DFE10F1C7860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:23.168{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4982090AC5B95D21C2CB9139C8D6E31,SHA256=073EE36A375C098968EE607D5811C2C15704745F144120B4FD08C52FE8775E50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450157Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:22.590{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450156Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:24.434{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4697178B51B235A1F8E6E05AB9D12A6F,SHA256=C3E8D50E4D486974B89B670E495DD195953DB1B8136C1FDDB3557FA7216A9730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:24.199{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDD8725184BA3F71FCF220C5867902C,SHA256=0F1FEED96A010D22EB2A87FAC115B1D6995D1FD820B6BB5DECA38F132BAF4279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450158Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:25.449{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB91EE907357936B3D9FCBBAD6B0945,SHA256=D17272074F75121FE06DFA5E0F51FBA7ADF7B8676639F50AD2E6FAFE875716F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:25.355{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7ED04F36B4DAA2D6DE007EDFEB446E,SHA256=F72E840C3FBAB39E5F69332632171AC7F5E3EA3C799D53093C6544337AB9AD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:26.371{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082392BD4046B3A5EAE7DCF9204DB48F,SHA256=B348B9BA44B6EE4E5E66B013863AFA83FA5CD626191D35E8FDA4D5E3CC91B340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450159Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:26.463{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91812840E7404BFDF9AB252F42EA7B2B,SHA256=E6D230DF1B40746E3268B47BFE95CC634EF9FD548CBEF90ED7278F16F27113B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:26.246{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AF9FC9A4799A22197F477CD1857A76EA,SHA256=5931FC22C838DC44D22D7CC9CFCEC450C0484CE071980C0F9FDAC12DCFEC8094,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:26.418{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53719-false10.0.1.12-8000- 23542300x8000000000000000395138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:27.449{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8716446B6A8DDBAEDB1774A364D2E3,SHA256=F2F297068019F6DD27326DC045061F394AD4211018911009BB58137DE67E85C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450160Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:27.480{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF829E6CA21276676235B129B91354B7,SHA256=6D77C1C37AE5DC544734AA90257B0A614ECA6C7151E55B60821871F981FD877A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450161Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:28.496{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6541237A11B3596A04A3D52FA67979,SHA256=A5BA4A8F0FA955EE16A6768944DEBCD993B1C01CB1A0E908842162C1686D5B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:28.449{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CAD77612A267CF681660E7AF9F2E3E,SHA256=EB71350F5CB8786B6C9CC73798DF3126138A62CD8D8E64882D31900D1E24A604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450162Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:29.515{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9209B17A55E77E08F5721B03562F6283,SHA256=BBB8154A3F8670758FF843FFE4E4130311B64F356B5C30743682FBFB87B0BC6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:29.464{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09D4E6B87479F27245E04B633A2B9E39,SHA256=BAB6F658110FA54B0336585B87E3923004B2AD2DCE2D2D462B78F152B50C5ACF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450165Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:28.585{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450164Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:30.545{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B291548EE0F1BF1E740199ED82F71994,SHA256=36CC4B6521ABF7262D98A69DD1CA5B45A95AE1FC0C4EF3EE7292567D215600FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:30.824{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:30.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EC6FB6EEDE3DB7B0BD71767EDBA11D,SHA256=64C37B74978B2A3541B1CA2C0B9C19026EE4F571F5C698C3979543B2626F1A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450163Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:30.114{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:31.699{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21EE13CDA5F7D70D8031563F5926831A,SHA256=224CE9D28E0872B85F2E1457ACAB666909B613A9680DFEAEE5C5AD7D7A2C78E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450167Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:29.547{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54334-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001450166Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:31.559{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DC1C79E7809AC88B6A48CEF4E9D660,SHA256=7628765CAD5638975F1B13FC6F1DAA7FA5322F7F9637B0366E7E300FF174CA72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:32.699{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34EEF6CA4FFB7B666705A62CE64FC74,SHA256=269D1273EDF1C74756F0A37984CD25CF63DC9B26FBA73A73C0496041DF61B3CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450168Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:32.574{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7B1314189F5D8AF9B91E42BD090DE8,SHA256=2869F2498C80AFC5BF82B69B8D682234851CFE684B96F71D714D3EA4302D7A28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:30.996{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53720-false10.0.1.12-8089- 23542300x8000000000000000395147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:33.730{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BEFBF81E8575C5082752DEA9A9587D0,SHA256=456F7C6954D2A83D19BEF474D416C68B5E53A8D50CF0164DE3AD74CD3AD5B847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450170Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:33.795{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AF3AD2208435CAD6F142506CFF8B997F,SHA256=3F119CA5256921A608D9B1AA98E3384C250E9AF08A3C58E3E53694D5A6FC3785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450169Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:33.592{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024378DCD8F510E563697E391F1A7F6B,SHA256=AA3B574A798148EDE6CD5CCAB969F081BC528A94473A4D3F4C61071A8E9D538B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450171Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:34.610{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8E272A64D69E3AF53B42097F78173F,SHA256=3CC7645A68FD37454CD5842ABDDF9E269B0641E6F73343328F9E6ECC6540B232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.730{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90209F604B83DD5F971EBA1DD841BF8,SHA256=ABA0F769D35A7FA6819A3EC2870FF2CEC826D0ED1DBAF5D9B36A56F46B51451E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.558{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0506-60E3-0D0A-00000000D401}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.558{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.558{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.558{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.558{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.558{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.558{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.558{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.558{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.558{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.558{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0506-60E3-0D0A-00000000D401}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.558{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0506-60E3-0D0A-00000000D401}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:34.559{7F1C7D0B-0506-60E3-0D0A-00000000D401}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000395148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:32.449{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53721-false10.0.1.12-8000- 23542300x80000000000000001450174Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:35.939{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA8828B612254EF7CA26838A3D324ABB,SHA256=2B2B082DE06E7441B7373264598CBC5E9041C26C9A612CD9466606EB2C0EE472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450173Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:35.939{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=589FEA28F8CA75F20F63D719610CF028,SHA256=302403508A15B6640E3F40277F942B02ABEFCF11C00DBD5B8BF489AA81A93CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450172Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:35.755{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FCC72D2C17CB8EDEC7BF3D66E64DD7,SHA256=1AE7655E957EAA96A36F24C52DAEAC6D28679E0EA3562D7FEE2B7AD69039256E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.918{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE25BC0F621F4FEE646D7338DC012B3,SHA256=4F108059B5DBEDA9707322E3B539EBC7808B6FC44EFA2C2E70400A95927C7AB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.730{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0507-60E3-0F0A-00000000D401}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395187Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395186Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395185Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395184Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395183Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395182Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.730{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395181Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.730{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0507-60E3-0F0A-00000000D401}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395180Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.730{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0507-60E3-0F0A-00000000D401}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395179Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.731{7F1C7D0B-0507-60E3-0F0A-00000000D401}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395178Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.683{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=683E429F7756DDC752E066BA22D985AD,SHA256=E1BA3083ACA2E9B3041070582841F3723636ABBE2A43C16C9F7B010C7E2ACB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.683{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBC679991DDD1569D60409FCBBE387B8,SHA256=4505467012C81BE825BE9D09D183084050852699E8469FD34479DAB472CFA730,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.261{7F1C7D0B-0507-60E3-0E0A-00000000D401}3020588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.058{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0507-60E3-0E0A-00000000D401}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.058{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.058{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0507-60E3-0E0A-00000000D401}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.058{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0507-60E3-0E0A-00000000D401}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:35.059{7F1C7D0B-0507-60E3-0E0A-00000000D401}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:36.980{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5993B460B2EDF230670112A56239EC5F,SHA256=1B2F6CB0CA5AC5A511A9A4A09DECFC2DDC2C52721217DD960C5CE695AC83525F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450176Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:36.770{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98DCCF0CC207AB92741AD777DA368812,SHA256=513AA8E133088D34B2571DD0AF55DFF2D8AC72C3486E5E091FD2D6D0BB56483D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450175Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:33.627{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000395193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:36.746{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=683E429F7756DDC752E066BA22D985AD,SHA256=E1BA3083ACA2E9B3041070582841F3723636ABBE2A43C16C9F7B010C7E2ACB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:37.996{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209AA37B564E6565051B3831373E846F,SHA256=FF139C6247521CA951E07FCC807B91C6F0E41F5BADFF0F30B22DCC597E6075BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450177Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:37.787{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D021EFA00EC6550A1B1246F157C53B,SHA256=A99F41AAEF8360E46D58383C10481A190FCD4016940B47D015C862F7D444B9C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450178Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:38.805{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536C52DBAEC828094C0879D7459613EC,SHA256=B228725DFAE18004A7B88C17712C42DC5FA84F9B95E366D474ADF73718817CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450179Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:39.819{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22689C068F08AAE9FCA3C727B5357F6,SHA256=76976B6A23E89FF9502C407D7CD7796BBDD7A241946C90200E57EE3D708B3EAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.980{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-050B-60E3-110A-00000000D401}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395223Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.980{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395222Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.980{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395221Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.980{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395220Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.980{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395219Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.980{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395218Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.980{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395217Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.980{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395216Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.980{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395215Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.980{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395214Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.980{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-050B-60E3-110A-00000000D401}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.980{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-050B-60E3-110A-00000000D401}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.981{7F1C7D0B-050B-60E3-110A-00000000D401}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000395211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:38.215{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53722-false10.0.1.12-8000- 10341000x8000000000000000395210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.511{7F1C7D0B-050B-60E3-100A-00000000D401}16442796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.308{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-050B-60E3-100A-00000000D401}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.308{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.308{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.308{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.308{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.308{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.308{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.308{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.308{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.308{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.308{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-050B-60E3-100A-00000000D401}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.308{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-050B-60E3-100A-00000000D401}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.309{7F1C7D0B-050B-60E3-100A-00000000D401}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:39.230{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201E78C8A0783DDD0A40F7BA80BC34AF,SHA256=26A2BC24CADEF98004A43FD7722CDCA9E71CB90BC28F8D08DF2909A81F02F721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450180Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:40.835{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F600FE271A83798A832F0C9E412F6D2,SHA256=E49FF507928824D6F7242C3DA590F52CC0CF89668757DB9DD4DE95D3156F1160,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.683{7F1C7D0B-050C-60E3-120A-00000000D401}21041700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E17915588454FAB7C0D6AC17837045C,SHA256=B419660D2849D437816892A6340B4C9FA56F76F60F2D66B35B5DDABA611B6B4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-050C-60E3-120A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-050C-60E3-120A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-050C-60E3-120A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.481{7F1C7D0B-050C-60E3-120A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.480{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=392962740CBF360B2A471CFB381A82C2,SHA256=706D7EE7D422E83B83486E3CFCD6BCF9439F2F56456DE8E82AEB609AFC6FE0E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:40.214{7F1C7D0B-050B-60E3-110A-00000000D401}27443336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450182Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:41.849{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9187711E17AFF7F906D3306F58A702B7,SHA256=BD12435E64C8608D221415607EAB3F01D28AABCFBF8E1FB1E79223E3791F1E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.621{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BAA471D18DEFD01A10A6BED57283AC,SHA256=CAAE9333DA585DE8A08010CBA7DD93C69E33054EF1BF419D7388EEE67E369C0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450181Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:39.620{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000395255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.527{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5E0518563DE9EC4B48E4D71E259027C,SHA256=D431933ABAE9F0E3AADB8E774B7EE927B311C3AB41B1CC423F80EE2048BBDE49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.152{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-050D-60E3-130A-00000000D401}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.152{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.152{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.152{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.152{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.152{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.152{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.152{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.152{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.152{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.152{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-050D-60E3-130A-00000000D401}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.152{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-050D-60E3-130A-00000000D401}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:41.153{7F1C7D0B-050D-60E3-130A-00000000D401}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450183Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:42.864{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573A91C4C586777BD30FDFEC488422BF,SHA256=85798830965970B95A7584291AE73228165CD86A3017E32CF29AA4491139A9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:42.683{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8BC540246DA5C17A5E7DF6F85DFE76,SHA256=87E8AF7FBAA93586F7885FB2A8F1643F1A18A4BB2A7FEE6709C112CA12FF6948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:43.730{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D3F158615D0A522F45B948C2A8147A,SHA256=993517AA9350888076ED2A8695C5B760D925A1FB52C7CBA7D21E2AEE3865B845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450184Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:43.882{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3FC80E43EE40AE3B0D3143C541B8AD,SHA256=91947BD8DC57997D6BE9F97654D69DEFCDFDBEDDCF3D3F83A7FAF6491752CBFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:43.387{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53723-false10.0.1.12-8000- 23542300x8000000000000000395259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:44.730{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F0C70C955F4AAF5A75A9F43E4708AF,SHA256=C8CDC417BC10846AA8D4ADC48A30ED80D18301EE597A6018393137801014D6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450185Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:44.900{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0033B5B2E9F5A877C8E5B3F9679AEB3B,SHA256=0A22A104104CA8EFE6EE144402EA44F6FC772966FFC54B942ED5F67B935CF9C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:45.824{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3FCE78117F990B1F98FB04A2C62F335,SHA256=99C556C16E110FE0920D6B7FCFF57223893E89B381568FA60B87EE6A1D57B4FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450186Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:45.915{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9111CB6A73966A8AC178EA4191B7CFC,SHA256=995287DB40E31DC2964748F3CE6943110509E68FE533AA0F4D1598E56EB3AE8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:46.949{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED72C9E20D9BE4407EB70EEF696F660,SHA256=892E6ACF85808DA66D60D69E09B6A1AADEE125BBEA61F155400F7457CEB7B57C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450187Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:46.929{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A2355C72B18E9865DF873E36F25537,SHA256=7BA47A25A29113C75AA1CCFE1CA7EDDC0FB1F4EEE8D83C95F5260D2B7D072862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450188Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:47.929{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD40C4B62D093F7C79C64A6AEADC1AE,SHA256=F5F0536BB9BAA3AB07059D314AC9DAAEB3B3AA2A39366F3EEDF1F82A90BC3F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:47.980{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A046E56D2CE9DC056612D693029D1A8,SHA256=281F5F875C4FC63AB8F9B55809F860525EF68121EB9A7A74C7D10A5DFC5F9786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:48.980{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C334A396A8C0AD559F40873D035FE90D,SHA256=714F41D8C362864F6D597BA8DAD65495F446D6B4267AA7994E3A12F6DB37EA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450190Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:48.944{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9274CE1F55596C343FDBB96A0038188B,SHA256=EC7A15FF7FDB79CF6A50FADCFAEDD6D8E3FB0A8AB169042285F93C36DD81136E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450189Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:45.635{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54337-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000395267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:49.980{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83FC795A7E910104C73C14ADA7A9510,SHA256=F1337D9F1F5F1323B5FE63093A2649AECA0E24F7CBEFFC5BD6AE962CE8BAE7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450191Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:49.959{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED9B37408E328E3AE81EFF1B76C5DE0,SHA256=1B55278A928908DB1277A17C38900FE467E7839C353CDB3757EC0FF2986DE764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:49.964{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9A6E12789A45B44E8848D3EE4B21397,SHA256=CBEE9ADCAFFBAA3339F2496D4DC4E192C3A39E3C4F37D0AD79F0B03F39F08DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:49.964{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A053340D74E8D08BFCCA4C1077CAD8D5,SHA256=FEFA09413F81C3A13338BFC7EFE431F875325C5F56910C2C1B1098E9E5A695D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450192Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:50.977{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489DCD7DC35CB27602D099C8889D9829,SHA256=98AC2B36F4073C3879C84F57CB8D446285BBDC520F171E1CC25F055A180DD50A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450193Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:51.994{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F879F2C90CD556A5D3A512BD9075385,SHA256=822E161317520FD7F5993D2BECE4728927F219744A697D45046E22986F2FC24F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:48.851{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-56254-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000395268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:51.027{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1369C07E1719A853198E7BDCE91B09,SHA256=C09533E1EBA5B67838BFDB21690657F6C379AE81C139A1A805180999A4FCFFCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:49.371{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53724-false10.0.1.12-8000- 23542300x8000000000000000395270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:52.121{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B26109FE9E96907E296D5FA1C74BCFC7,SHA256=82FCBABA7F030780AC82C2CB914BC52084D43A257745ADD7A7FA6F450E7E4955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:53.136{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D40AB5D42D2C54D45E1AE708D15F50C,SHA256=EFF794F4372A6F0FB8FF582AE78162BBECE18BACFF6139B250E28D4D5DF44A0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450195Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:51.648{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450194Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:53.009{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D76E6AE98533536FF66EB1398C4BAE,SHA256=ACF789E8DC4439127EEF624CC457A2571B605F38A2A8DD1D97ABFFD4A76A3B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:54.152{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A7B5D893AE2745A33C328CF1C47D80,SHA256=F387DEB8C23D2BAECBDFF3AB262160755F429CAD71A5EAF1988B5FC6D2286211,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450202Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:52.800{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local56185- 354300x80000000000000001450201Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:52.799{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local50975-false10.0.1.14win-dc-201.attackrange.local53domain 354300x80000000000000001450200Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:52.799{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local50975- 354300x80000000000000001450199Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:52.799{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:f870:1178:1b1:ffff-50975-truea00:10e:0:0:0:0:0:0win-dc-201.attackrange.local53domain 354300x80000000000000001450198Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:52.798{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64959- 354300x80000000000000001450197Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:52.798{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56185-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domain 23542300x80000000000000001450196Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:54.023{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A97F82A82C9D1CD2273F9B0A0E1450,SHA256=F1BCB2612077A5B988E111BCCFD48203FBC29151AC7BF31E83BC065FCA729594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:55.168{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63137A63DB5359600279AA66260E426C,SHA256=BBACE494C50149A3EAF921636E92F538CED38C8FCE4F8BF192CE6CAD4AA8A9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450203Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:55.038{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE5A68206CF3104A31E13C4B6E0256A,SHA256=9C7BD2DDB31635595F2A79CEBFD2815A6D75DB2E8A5F636EB95A4529F615C596,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:55.324{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53725-false10.0.1.12-8000- 23542300x8000000000000000395275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:56.183{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9287880FB221AA81A30D9D9AD7CA35,SHA256=6CE14D1B1260C9E3A85CCE4B1A7CCAF5142996E81F43604C8E9C53BC9396C397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450204Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:56.053{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE75B426473902B68CE5A28A31327BB5,SHA256=0489D243321FAF706665176359D50F32F51AB36126EC2002F36B8F5D4B0A3823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450205Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:57.071{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62E406ED8AADB31063C5FA5F04A5C90,SHA256=2D458943F6FF6B0CA0B276701BB6FA2FFB20B95724DE8F5BCCE965B7CF87CA94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:57.183{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92EE747C30AE02F855FAC17D6758CAA,SHA256=47F41B884ACAC0666676109375A4F4A76B790B3D7A4D3DEADE1A1613F4BBB9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:58.214{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF5931E8C1B8518B2C16DE94ABFC420,SHA256=CD4F69E60B8083FB64C590651E1731FFF251B493E7EA3D1EB6B675107D24D7B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450206Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:58.088{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82651ABA07E59E10152A3E05B8264B7C,SHA256=C34B2BA1DEFF12B26E4B167EC1EE5D24F2B7929A53B82D7389992B0AE0DE0C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:11:59.277{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD18C68A4339D639A51A23FAC4F977F,SHA256=B6249A47C7B2B28C9481876CC31590DCDED159F05439FFDC26FFC08AB426A073,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450225Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.903{D694AEB8-051F-60E3-9F0A-00000000D301}48764920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001450224Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:57.642{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54339-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001450223Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.750{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-051F-60E3-9F0A-00000000D301}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450222Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.750{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450221Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.750{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450220Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.750{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450219Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.750{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450218Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.750{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-051F-60E3-9F0A-00000000D301}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450217Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.750{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-051F-60E3-9F0A-00000000D301}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450216Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.751{D694AEB8-051F-60E3-9F0A-00000000D301}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001450215Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.134{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-051F-60E3-9E0A-00000000D301}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450214Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.134{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450213Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.134{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450212Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.134{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450211Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.134{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450210Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.134{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-051F-60E3-9E0A-00000000D301}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450209Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.134{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-051F-60E3-9E0A-00000000D301}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450208Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.135{D694AEB8-051F-60E3-9E0A-00000000D301}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450207Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:11:59.118{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147EFCC2443AF09C477C9B11C856E738,SHA256=B505838BA3AE4D2BD1E54E97D9FC85ED1B3ADCD99FBEED3D21B04C531712FAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:00.355{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9C031E73C5177CFABCC09E833DCFF7,SHA256=38016B982FE2C587150A69DCAA91B9CA50979AFD2539525448C8C6369493DF0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450236Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:00.287{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0520-60E3-A00A-00000000D301}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450235Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:00.287{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450234Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:00.287{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450233Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:00.287{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450232Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:00.287{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450231Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:00.287{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0520-60E3-A00A-00000000D301}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450230Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:00.287{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0520-60E3-A00A-00000000D301}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450229Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:00.289{D694AEB8-0520-60E3-A00A-00000000D301}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450228Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:00.150{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E3C218F374982C7D7F31DCA1799D8AB,SHA256=C47F024F86CF3B67EE931E0A86EF9FBEFBB7AE430CD392FB2989209E1AD1DB70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450227Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:00.150{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA8828B612254EF7CA26838A3D324ABB,SHA256=2B2B082DE06E7441B7373264598CBC5E9041C26C9A612CD9466606EB2C0EE472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450226Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:00.119{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC94D8142F7160F65F688CA5114E98AB,SHA256=3FF115FC5EE0C0285565DBB569F77255465F3C32517C950CD3A50E20B26210B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:01.386{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83182F407AD71621A2B8DEBF9E628513,SHA256=48BCE7C205EBE967CF6F22EC23F96AB0BDE78BB3286366D48FC7F8FF4C3800E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450238Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:01.317{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E3C218F374982C7D7F31DCA1799D8AB,SHA256=C47F024F86CF3B67EE931E0A86EF9FBEFBB7AE430CD392FB2989209E1AD1DB70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450237Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:01.133{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA447778A663166B1F6313213DA3FA40,SHA256=8C10E7B626512308CB5F49030F5532CB80CDE7C7027461C043133242E1284A52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450247Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:02.931{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0522-60E3-A10A-00000000D301}6296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450246Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:02.931{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450245Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:02.931{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450244Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:02.931{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450243Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:02.931{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450242Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:02.931{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0522-60E3-A10A-00000000D301}6296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450241Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:02.931{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0522-60E3-A10A-00000000D301}6296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450240Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:02.932{D694AEB8-0522-60E3-A10A-00000000D301}6296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450239Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:02.148{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAB8EDFFCB3D1566F08B09F180640A5,SHA256=37E85DCEBEF01EA27D921949641F91000973B907A6FB7B9E0659B8B30ABAA6B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:01.325{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53726-false10.0.1.12-8000- 23542300x8000000000000000395282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:02.386{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DAD2E79B4F9991CA0ED24DA80ACC3C,SHA256=ED4880787F6C4732BE73DF3901C24D4B04BD0FB693A7A4F7EA622EE454192DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:03.402{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1BA6EF8FDE95CA584FF10B5AE321E09,SHA256=051F9B9320598AD61CA8FD1CC83D7B7F76227F13D44C8B4B6F533D67BF41F2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450259Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.966{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=021B1D91C2889B69C4C46E4C0D7284CF,SHA256=D63466EE476A2319DFAB41E99EC29AE93BF8E7847B529860BAE2129B47B508DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450258Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.768{D694AEB8-0523-60E3-A20A-00000000D301}54685368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450257Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.615{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0523-60E3-A20A-00000000D301}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450256Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.615{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450255Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.615{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450254Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.615{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450253Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.615{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450252Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.615{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0523-60E3-A20A-00000000D301}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450251Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.615{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0523-60E3-A20A-00000000D301}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450250Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.616{D694AEB8-0523-60E3-A20A-00000000D301}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450249Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.167{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC95CA7149499653DEFD34DCA186E34,SHA256=7C4A4B8E7F76802A822B093989A4F50AD0152BDDDD0B8205F37C82F51A6C1DA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450248Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.100{D694AEB8-0522-60E3-A10A-00000000D301}62961060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:04.558{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF611FAB4A17D4353AC74493153BDD6,SHA256=607A01FF245C8EB2031B8D1627751E619E743F71C480B85028C3C7DA1ED76122,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450278Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.884{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0524-60E3-A40A-00000000D301}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450277Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.884{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450276Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.884{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450275Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.884{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450274Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.884{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450273Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.884{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0524-60E3-A40A-00000000D301}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450272Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.884{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0524-60E3-A40A-00000000D301}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450271Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.884{D694AEB8-0524-60E3-A40A-00000000D301}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001450270Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.154{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54340-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001450269Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.154{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54340-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 10341000x80000000000000001450268Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.199{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0524-60E3-A30A-00000000D301}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450267Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.199{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450266Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.199{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450265Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.199{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450264Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.199{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450263Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.199{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0524-60E3-A30A-00000000D301}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450262Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.199{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0524-60E3-A30A-00000000D301}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450261Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.200{D694AEB8-0524-60E3-A30A-00000000D301}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450260Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:04.183{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BE0EF771A3C30DACDF6E49670510F9,SHA256=02D5A90ED4EE9027A5F7787A8EEABA4114243D9E281E78043E23862DFEDB7CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:05.558{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7F060E4488030B20C385F0BDEC5412,SHA256=058233D3690B18AB2F3DD0BB9E1F9E89A0385B6CB63F37EBAD0B74ADAB52ED5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:03.653{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450281Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:05.199{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=625B76D62478049D84E24D3CAB5CF0FC,SHA256=A4BD5D09FB4A6EE378D3F2603DC28B2515331C309CD84D14E0CB044E11B3C2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450280Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:05.183{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E379EB52C24495B2A3A31B5A477D47E,SHA256=A3370F3D731D82191F2D830E8EAD1E8812DB6A93D45C0C43B5D0C9378A5463A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450279Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:05.068{D694AEB8-0524-60E3-A40A-00000000D301}55284656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:06.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349C4083DB440786E44FF945D52BFF3F,SHA256=79C9FEF4A4C805765CB2C96CA506CC27375D51634D99A5DA9F1A4CE17FA28B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:06.213{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F1D5C3E32ED878FAC43B921AD38B77,SHA256=CFDB5ABA01A8C32DA9C47D4B7190CC35E676012BFE69F61F0EB21DF5E4C5DA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:07.574{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D80812350291D6325940F59442E74C4,SHA256=21E39196B58FBB7DF4282711345605E455A6B1EA7E1E9E6E7A4A7BB1E91EAB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.561{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D308473829519FD689521374C522CB,SHA256=8CF49CF11B768C8C69D5FEA38993C5C43821C943CFF1FAAD817509B1BB9B84C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:07.112{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:08.595{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D6AADE74B768D5AEC817A5E0E108F40,SHA256=BFD6F38457D1551DA0EBD91253AF0186E02BF9652F09421A6F194398278C42FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:08.652{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77FC0412E284B166BBFF83FE180A99E,SHA256=40B479D6C81E950C7F789DEFE12E75E9BD3ABE96351CC10D8354E86615B61EB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:07.325{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53727-false10.0.1.12-8000- 23542300x8000000000000000395290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:09.652{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47272AE0AA3960594F191A87A44516A1,SHA256=4AEBB0CB971E9A18C2403A68404EFFAB127805BE6F7C65A33DBD533C7B084BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:09.610{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CAF2B61EAE4236051647C83DDB84A3,SHA256=842B830F375FF043AB67DB53C43AF075E45202FF17AEAAD74EFE054F244FC356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:10.668{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F36F2E6E389528C71650A575D84976,SHA256=B57F92D21509996242F9C328AF3AAA499001E90134BF19856192F0109DAB8D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:10.640{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198B4829E948E0E58A986911295BCEF8,SHA256=5CDE9AACB987DB1448770D4914FBD446D9760C82A1E7FD577CC3A2F57DCFD3C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:11.731{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B45642BD6658CA55C557A14198DC1C6,SHA256=B5CF1D5A2272ED9F9C186BD16E69830222BDE3AED0C32A1306E2368D56381EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:11.660{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13183228F4325858DB8DE2F28AB53F6A,SHA256=E745AF783D7D58622A419D178ADAF74DD61345A6FC806B658F330EA5B45E163A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:12.821{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8290203F9BD01F2429E3BAD22301ECD,SHA256=596BB84D14485F9AC5ABD09753C24DF38BFECD98BB165CA5C574A9C5174070B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:12.706{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5583075EEF750D6CC9E0D5EFE748D57,SHA256=AE2BD671EAAFA3637852269499506F80F86305E6D4BC27C2730E2AD194F23D02,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:09.663{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000395295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:13.854{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978925FDC17A780DF87BA48E61194756,SHA256=E144E8D77989FB96F14A95FC3FEFD979A1861C6BDD759A535513FD14691BE3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:13.736{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521947D13AA14085138ABCA863BE852B,SHA256=A234F3D7403599770D77142A586D7B44487723D816C62C2E938D689D843C0418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:14.948{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9053ADB55AADC44A85768D72CF16CBFC,SHA256=F8BA0960FF4721582F84000E9EC0951166AA4B890E0AC24D821A1D3198D2A1F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:14.754{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D43614CFCA0592C15C6EF94A5844A29,SHA256=7538884157C87B76BCBAABAF14A8A492FCA9CC25961FD94127AFAB86D2B7D2A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:13.355{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53728-false10.0.1.12-8000- 23542300x80000000000000001450323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:14.704{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E90D0FAB7347C648C04DFEB7402BF6D,SHA256=504196037224DE9DE87E2B5AAD873FD26CE39E1F485864697D5F7023350EDCAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:14.704{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD475B8A20D6FA8D93EB650E1D709280,SHA256=FB27B2E3AC4170AFA393028C952804D6E8D1338F4B3A1A2259D093A850CBCA48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:14.552{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=DE2A2BAD6F924CC116A1A844A3141A7E,SHA256=5C2C7D99A2BFF6F51B4EF73F1C16C8CEEF51417047EF600FB17AB3009A94E2A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:15.964{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA15344F287B2DD8807384B5B2A45E28,SHA256=1674AA918C7C2239A7E1AE995FD008D5B016CDFBA4E82F5C38B17CF7C3F41F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:15.787{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C64D61730011693EE675632A2E8C6E94,SHA256=B4742CC111D5F7B5A2668F3C8983F8E8D12F490C5D20900E4C826DD710DAAABC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:12.658{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-19924-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001450327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:16.802{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C61143EE3FC72F3A720C249824E69A,SHA256=35CF9C82DECE452FDA34D0A80E64A9210B65440CF4113F5C083162BC0E0F02AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:17.817{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210525C59D7F8E2AEDCD26D6AF11842A,SHA256=73519C434202FEE9EC3B70787E40C672DB8903721F5B166314FCF3340AC67CE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:17.011{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3975930DEE8AD7B8C8EAF3A493DF03DC,SHA256=5CD19312279A9633841A9C00A5C28E9A10D6108DB295F29F62D1C8375CC1F423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:18.831{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB2C7982F4F64222C6CC4F0704955A8,SHA256=2ADD3AB00586E161016DDB928CE7573B4B27ED824E2F0BB5619B3CCF0B3C8FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:18.026{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956877BBE2ECEB33580D9EC1F2E218AD,SHA256=16D6DFF9538D110AF39A25BE77B4158609E2E76ED16DC29765B6C28E79B2A832,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:15.688{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:19.848{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12595F70F06D10DEA24D5A84371FC1C,SHA256=C3F9F711A0790F12203E642F80B9E871C7990611E8DA0FD50458AE2A48031FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:19.026{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA049A314EE1831628D2B3FA8CA25E83,SHA256=DA1BA5F9234A5D8DC915A45FE8F29BB52E63FFABCD9A8CC8FB17231D1099A092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:20.867{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AAACBD75CD4C3D2BD256FAAC0145AB8,SHA256=36FE0453EA07A57F4774A9FDA853C3190FAA9A04BFBED392CDF8BAE607D935EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:20.229{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB6BC2A5823020F154A7DA74E6EE296,SHA256=72ED905428EEB143CD2E8880E1318E1D50D873881584FF900AEF2A1255CAA257,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:18.356{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53729-false10.0.1.12-8000- 23542300x80000000000000001450333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:21.882{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDE73A03812AB0A33560A58473A7B3D,SHA256=6F4A929BC453E3FDD7900CF04204101BDED0E3F3D37E489B5A5E28F9EBDBAEDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:21.276{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08101B13964508610F4B1B91209D7B5,SHA256=DCF7E5B33EB4C28789B8135DC38410CC4BB536DE318DE0BB55AA3A1AFA0A352B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:22.896{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826A85AA1451FC63D200F98FE737CE34,SHA256=0D9B2C2B9888CF27B8180EA86B8CCED154FC07F38658431963D7E4BA419897F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:22.323{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAECDA997931654F3ED49CC8BF0D87F,SHA256=A73391C60E615A864F185AFC1A736E9CDD58DB7FAB7D58BD74F114EEFDF8E679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:23.899{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA8C1B0DA17AA553483C8F1DB172D03,SHA256=A7B90E1440E4ADA3A1EF749C26A077E19D7AFAEDF8AEE5CC4B3D1E5A392E0D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:23.432{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670787AE6C8950379695FEDEFEC06732,SHA256=990426EA2EA6139C7292EFA053222FC99BF43BC311D828F6098026CD4C77A714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:24.913{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17DA38911E7B187C54C8E9674C9770F0,SHA256=35ECA4C8FA0235EE821C80D413D4023534F12358D08ABB42C9DD4A237ACD8E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:24.542{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4435E697730C7794457DB7AACFBBF9,SHA256=980D0A7DE1E215A66DF5DF3DB662C7AD1556EA1957D357F42FB840E96E92D510,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:21.683{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54344-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:25.928{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C34CB216CFD58E9155DFD3CFA31445,SHA256=5947651FC6ABC13687CAA68C31D1802F50C996D40D185FFC0E0C87F4DD520FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:25.557{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E88879172BB767D03AFF842D5CFC80,SHA256=78A2CEDD10CC9396E8C6A765F6D87D07F3639977B3FFB478E6559BFA150C21DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:26.945{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73908F946DA134E8013EE8925C1D22E4,SHA256=2600C6627B29FBF07C66A912D929BBFB08A12EEDFF15177D00BBEF136508F2F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:26.573{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4B25347FE99B9A0689C3CBC39C19AD,SHA256=750942F940BA57DF3F03E2C284D61601AC803A02D4DB6217017992375FA533E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:26.260{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1D30D0A7AB5B16C24028D59A4F27BD03,SHA256=4FD92F9EE23F354B25B386989205B7FB3B79A593393443D92881EC0966211D6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:24.340{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53730-false10.0.1.12-8000- 23542300x80000000000000001450340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:27.964{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19720AE6794E382FA664A7AA906BF84,SHA256=315D8FAE2744EBAED46861949EA7BEBE044D6D443C4FDF0BD145B5BFE46720AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:27.573{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE36CFBA0C8E9FF271022DFF03E56F01,SHA256=30F0D61E9C65D0CF8D0FA61A935ECAF721D15E56650CD2CD8BE51BCC2329487D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:28.979{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA2CAA64F32A1EC6C50C569ED0652E4,SHA256=CD6E25A96A7CBC36C1E866695E231AE2ED447D7403D0B48B549BA703E4966224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:28.573{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C39592836342522B0EF80DA635E0E7,SHA256=525046BB9A17E9A64627620386324D5D5F4B886DF93FACF8790D1E6C7DA78DC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395315Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:28.229{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:28.229{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:28.229{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:29.573{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D8D42ED38A9C7154A5CB097DB72597,SHA256=98807C2FE7318F8E5AB5EEA0BF27DA8545205C98644228706ACBF57DA2E46425,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:26.719{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000395319Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:30.854{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:30.635{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55E5E8B416058EAFFE86E89AF4D85F4,SHA256=52D1912CA98097AF644CA16610E319AF125E2DDFDD05381C792CA83B3183EB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:30.146{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:30.010{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76902F8D16B7CF4E0102BFCD0B5DE5AB,SHA256=9A6206BA25E1A183C3650B701B70A98BAF590AA86599FFE25B7244804E9B8F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395321Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:31.636{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E6D33F81F334330499F600FF671065,SHA256=3BED79251D435DDB6099A597F22CCBF172BACDDDE79D5D25EA53DFA98216ACD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:29.580{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54346-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001450345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:31.025{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DDD55085612DFBCE0FCCB8A7044E98,SHA256=F0D84DDB6C0E554D9E1B8E070381CCBAF4B93CC65ECD386696C6057005D75866,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395320Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:30.324{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53731-false10.0.1.12-8000- 23542300x8000000000000000395322Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:32.792{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842A9620CA511CD5ADD881E08B9B3EA2,SHA256=F2FC2F2E8B6E243AD5CBD6405A0F59CB3E14A20CBD7A5822A82122B2DB9ACB3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:32.042{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F373AE5B22D62DB0874DBC27D933B63,SHA256=32916037CCB4AE2A0C31646CC11A85F3B49E38FAA2523BE05DE917D515165D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395324Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:33.839{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03306D1853D7EA41231CCC705C7FC49A,SHA256=63E9A88584E06609B1A406BCA4BC8AD24AC6298766B9D80014734B1039B089C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:33.806{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=29BEF6D5A42E25A7A9DD1665E8853654,SHA256=034B58ED55D29253B028DDFAF44985133AF197826FFB7A01372B879F88FB45A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:33.076{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CDDE79BB8CB9EBABA806EFAA132AD82,SHA256=92D2F9630CF833B93AB04A0DA7FA784447AE90B8AB34AB31B264012463DF3AB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395323Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:31.027{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53732-false10.0.1.12-8089- 23542300x8000000000000000395339Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.839{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497F3BFA1ED2EC314F619CFB6D926845,SHA256=5C5F99955F334217C010B5FD97D00DBC012CF19D7C6F23045F8BA90F8EB23DC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:34.106{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1E2E702D428B91F5207CB203057C5D,SHA256=39A6ADC2727182E824724B58378347C39103A174B999D84B10C5FF435A807D95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395338Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.776{7F1C7D0B-0542-60E3-140A-00000000D401}27322772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395337Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.573{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0542-60E3-140A-00000000D401}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395336Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395335Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395334Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395328Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.573{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395327Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.573{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0542-60E3-140A-00000000D401}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395326Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.573{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0542-60E3-140A-00000000D401}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395325Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:34.574{7F1C7D0B-0542-60E3-140A-00000000D401}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395368Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.932{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDED6E30A4E132F95B595CECF654AA06,SHA256=ED9FD69BFE2AA13EF172C3FF7A793ECB888764B89EC24EC8A029B1ADA4170C8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:32.515{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54347-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:35.139{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F074D88E050074C53EA33B172F17A93E,SHA256=09378A0AAC964FB31316A416CADF37A9E2D095214849A158640E0B81184E1B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395367Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.635{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE3E53804F14B36B37735B35B0F734B2,SHA256=AB658EE24813F59A6FB312ED47BD7AA7D7B78E0F79A075275C5E00818068AE1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395366Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.635{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9A6E12789A45B44E8848D3EE4B21397,SHA256=CBEE9ADCAFFBAA3339F2496D4DC4E192C3A39E3C4F37D0AD79F0B03F39F08DD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395365Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.589{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0543-60E3-160A-00000000D401}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395364Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.589{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395363Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.589{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395362Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.589{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395361Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.589{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395360Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.589{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395359Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.589{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395358Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.589{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395357Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.589{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395356Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.589{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395355Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.589{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0543-60E3-160A-00000000D401}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395354Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.589{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0543-60E3-160A-00000000D401}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395353Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.589{7F1C7D0B-0543-60E3-160A-00000000D401}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000395352Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.089{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0543-60E3-150A-00000000D401}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395351Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.089{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395350Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.089{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395349Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.089{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395348Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.089{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395347Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.089{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395346Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.089{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395345Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.089{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395344Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.089{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395343Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.089{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395342Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.089{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0543-60E3-150A-00000000D401}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395341Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.089{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0543-60E3-150A-00000000D401}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395340Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.090{7F1C7D0B-0543-60E3-150A-00000000D401}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395369Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:36.948{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F401F4074C290592C15F69E92803AF,SHA256=7164417DE6C3A5216814F8E4746FF1E16DFF11B613F51CE6BEA257278387467F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:36.158{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590AB40B5D6FB4C08F2F275FD9F2E08A,SHA256=3BCCC6C01FF700746FA9A1C7C791F7E0BA877D5303FF247CFC514EB48139820B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:37.173{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B5F07349C0B22046A382D25425867C,SHA256=72BDE678A4950B6FB43467D3EF1EAAFF37B690C16C8B57CB3AF0F6FA13D681C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395370Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:35.342{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53733-false10.0.1.12-8000- 23542300x8000000000000000395371Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:38.151{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97EA48A39F41A34ABC84DDF8A1B5BF4B,SHA256=142BA0EE11614CB3531BD1B8CD73A726AF4B019A6E76F3423B29FF4390BE2E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:38.204{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2063582FD9F24A95C4CB8AB19D1AD95,SHA256=E9CF27C4837A0D69CF3A27B825CB6E66BCD18714B386B1C58E671503B97676FC,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000395387Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.996{7F1C7D0B-0547-60E3-180A-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000395386Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.479{7F1C7D0B-0547-60E3-170A-00000000D401}18683016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395385Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.323{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0547-60E3-170A-00000000D401}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395384Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.323{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395383Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.323{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395382Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.323{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395381Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.323{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395380Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.323{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395379Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.323{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395378Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.323{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395377Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.323{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395376Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.323{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395375Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.323{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0547-60E3-170A-00000000D401}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395374Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.323{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0547-60E3-170A-00000000D401}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395373Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.325{7F1C7D0B-0547-60E3-170A-00000000D401}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395372Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.167{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD9034BBBE2EB6E032DD27A4DABE34D5,SHA256=9468B8B17DE1C428E73A7D483E854A7D517BFA6571D8E70577EB525A9C794C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:39.218{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47752C4CC7D7E5FA16421527D56BF482,SHA256=ABC015525B24F7FB697B78FE7DF1E47A8AD159D27B935883A64EC40730507A1F,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000395417Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.996{7F1C7D0B-0548-60E3-1A0A-00000000D401}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000395416Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.745{7F1C7D0B-0548-60E3-190A-00000000D401}19323196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395415Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.526{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE3E53804F14B36B37735B35B0F734B2,SHA256=AB658EE24813F59A6FB312ED47BD7AA7D7B78E0F79A075275C5E00818068AE1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395414Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.495{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0548-60E3-190A-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395413Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.495{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395412Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.495{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395411Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.495{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395410Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.495{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395409Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.495{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395408Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.495{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395407Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.495{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395406Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.495{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395405Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.495{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395404Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.495{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0548-60E3-190A-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395403Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.495{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0548-60E3-190A-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395402Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.496{7F1C7D0B-0548-60E3-190A-00000000D401}1932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395401Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.495{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0A7B7610F01AC47157AA1F153078A8,SHA256=599E675C03A9FE6C93032768553A87D138592EDB11D5CB5A3ED68AF5630568A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395400Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.230{7F1C7D0B-0547-60E3-180A-00000000D401}323296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001450358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:38.525{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54348-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:40.270{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52256E2A4088E1BF44C4B37C1156537,SHA256=57461735EE57EFBCFC65D98413AF9FAA8130EEBD80CE55DBB4D6942B8CE7E41A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395399Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.995{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0547-60E3-180A-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395398Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395397Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395396Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395395Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395394Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395393Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395392Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395391Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395390Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395389Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.995{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0547-60E3-180A-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395388Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:39.995{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0547-60E3-180A-00000000D401}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395430Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:41.682{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A6470D873549A8BB0B80A3972F6915,SHA256=6A43B93AB2C6564B5702A895D9CF1A8256C0ED2397F879F2031658183A09FC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:41.300{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B95C591924405BDC68B234D4FB3393B,SHA256=173240A46ADBDE4CF3AA3C8B988EC00A872A792AD7B2A818EB01892C8AB176DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395429Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.995{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0548-60E3-1A0A-00000000D401}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395428Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395427Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395426Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395425Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395424Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395423Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395422Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395421Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395420Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.995{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0548-60E3-1A0A-00000000D401}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395419Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.995{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395418Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:40.995{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0548-60E3-1A0A-00000000D401}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395433Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:42.901{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED40F2293929D1C8B32028A2E7DB368D,SHA256=69446BDA58967F3099F0BA8059AFBDDD1F88ED2430D923D2B8BB8E0F16510BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:42.334{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0AD4BD973B3662C28A613FF1563763,SHA256=840570267ED671BD1B6A5E15F5644A3991E3B953A7190F6911D7121A72D33C25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395432Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:41.325{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53734-false10.0.1.12-8000- 23542300x8000000000000000395431Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:42.042{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8001EE5964976A70DC6EB4D855E23E59,SHA256=4CCE0C7FDE6E8A98330857AAFD9E5425B720EE129081797CABD497F7EF1C27D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395434Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:43.901{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB75762A062D9961FD68BB429C448C9,SHA256=E18E0A8A10CE881E8A61311EBC824E8577A7240B6622E151C8AF22B3F464969B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:43.382{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC24FD87A6B22E900EC586BEF4BE3A6,SHA256=A50B8950C04A79C0B16AB06472CE51CECF6DAD25BCF8B1CB4E93F18AA736FEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395435Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:44.964{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD48E3DF2EFA893DEB3CFB3C5CC7E34,SHA256=AB2C016CF3FCAFCEAEDF59BE5F7B8C6627F3B846579D4D569004687A221B1226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:44.396{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FE3FF5B55C02C2FF204993A69961A0,SHA256=12A04AAD6C91E9A600074C7030D2B49E102BEFCA4C1520972489A75726E7CC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:45.411{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E60ECC3503D95511259B8C8B6D0C6F,SHA256=D536E05492FCF813AFE62177FC7EFD7DC03981B9C6BADE5E2FCF0F61055B77E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:44.550{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:46.427{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4DB3EDB7C924F4A83D1B9905B9CD72,SHA256=D74074E94A30DD4AD3144B93BF98A3D83E4711EBB1161F4CA74F53DEEC04D05C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395436Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:46.167{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E42E0B237E2FEE0CC193D23BA9262A6,SHA256=87DAF9D90E7549FAA228087346D3953895183B2488659D902890530D30B1F29F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:47.446{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B473D628E8A980ADED2C5B9B6AEBE10B,SHA256=F659E38AF01B9759E74A11214035E91B53E13F06D8EDC4ECF7CC76FE27CA4C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395437Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:47.214{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98DCC590160D5C0CF2AB91B0313F9FC,SHA256=D6AD74383239AA1280AD281072F734BF3E2285B4BFB56CFBC26EDE213253917D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:48.460{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183A8659522F8183995CA211B17D3F63,SHA256=5F13AD2FB50C7671E936FED77CF0AF42971F57BD459ED0BF7DC8CA39FE511395,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395439Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:47.356{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53735-false10.0.1.12-8000- 23542300x8000000000000000395438Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:48.214{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A061DA0210593CFE117ADF830A4452,SHA256=363A3D65356D48D8B83DCA2B441B8CFE2ABFCB0332AC24BC539E6C197A47110F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:49.475{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A990111BB405A944FCDD859241E979F8,SHA256=F0733CE3BA5C585E69083F88A08C1DC17FA417AD92213665E523C76092931F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395440Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:49.214{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEB86AB18BAE82C939D4ACF0A85DD641,SHA256=C7898EF6340A114D270D3BD5D6AFB4A8D295D5DAF4E99500F98DC551749BB7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:50.489{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADCCD98B8A06FEA8B1232A93D423C44,SHA256=B91C11F07FBFF08D411666D745083F674A5ECC4AA78EB1AD6C1D21ACC45C81B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395441Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:50.214{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBBA0B1A5EF7F7E114343D43B04A69E2,SHA256=EE6F69A6F090DF7A0F13D48966BAFE1978BE9013E1085211AECF84DCA7DC2F86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:50.389{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:50.389{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:50.389{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:51.505{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4682204445C9BDEA39CD4CB0420F2602,SHA256=09996F8C7B8EF4D1DFD248AF5E4BB66D9CE0A7A0EF75FBA3AD437CFA185F4C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395442Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:51.401{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE49C98668647BE2E65D416DF41DA839,SHA256=4E3C83003D2BE4157480F1C50E26ECD8EB1685D8C6C8364C36550E578B0758A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:52.521{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D697306F5BC0B74A5E6B647D83B7A39B,SHA256=CE4B580612A6DC41AAEA7C9BE26C8BF4508AA75D19CA0E65A28D37A8A1AFA804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395446Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:52.464{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F973476C6EFBA0123CBDE61AC368E351,SHA256=D3F68BE4BB603DDCB3F71A9CD28B83BB8661B1E8FF14D65D41217E73B28C0734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395445Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:52.370{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=035EF493787E9CD7C04D167283479EFE,SHA256=724ABF62B14F8A255340A7A76625B1DC75F751F408C20B1F8077622496275E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395444Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:52.370{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17A311C589BA20479633E80F9A7394F7,SHA256=96D069D0C4B35631CFE57CC75CF37903939FE5C3F2DA674EB1D8ACF772AB7F05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395443Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:50.986{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-57787-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000395447Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:53.510{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE17C4FFA093CBDF0EBE873D3D801BA,SHA256=92B9B1C32BDAE66131F1DAD5B48801D2B672290A2D32A87B13D0114145017B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:53.540{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2E9DE7D37E7B1D02593337815B341A,SHA256=2781887DF7CEF9B7E0CFE6C7088243811B304BEAF07F67E306CD8A1DC309D612,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:50.543{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54350-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000395448Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:54.526{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5691E711EAB46FD20E6C3B0BCA5CA04,SHA256=7F5AFF01460DCC65D0FB75EDB7E66346AAF625AEC860559D399B46BAC55DD3A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:54.571{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56860FDEB8DA223CD6B50E9A0DB4EEAC,SHA256=FABB56E7108F6016A9A6B218D2798562D6AF8B444B7147626E5CF3BD5F90DC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:55.601{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F7DE1951B3125C1BB36F9934934106,SHA256=C80BFFFE1468BBFB3E79F29B7FC896371A8653D3E4DF13B662C7497FC3A29867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395450Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:55.667{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C712412CA1092F7440DFB76825355838,SHA256=02FFD942AF5AD0AFDCF3F6CE2CB648731D684A60B0BB7A1551AD120A2D5FEDA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395449Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:53.371{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53736-false10.0.1.12-8000- 23542300x80000000000000001450379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:56.618{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDCB296095C23197576C167724AA5F7,SHA256=01BC9943B806424DA78706C68EA2BAD95E25E2BCAC702F8B5A920FCA885FDC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395451Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:56.667{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D9D89C62EE3CF784F0D5B1A3875CC5,SHA256=15652ECB1446F4CE43436210F03914B171231A4AAC8807F13ECF735D8FE05D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:57.637{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B618672F3393C3FDB0CE4B477DCF580A,SHA256=661EFE721ABF7011EEFF47567C8B87851F3AB40DDB02D45ADC58E5E3DA8FBBF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395452Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:57.667{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5491D0D7FBB04FEE94461CCBB3B21CB5,SHA256=599AF0F62588001764DA509E3E278CE9D0A33C939C34BE5CF3F79D33ED2A1F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395453Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:58.667{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9ADADDAF484F810791BCB26FEC0AD8,SHA256=AC2E92CA1E60DF8398104C3C099CB6543DD67FC53939CA4A96ABC08057468DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:58.651{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A7183DCA0C1259CCE68DA1C2F50CB1,SHA256=9B2CDE83553655CDB9AEA25722F5F292B5CFF1DDA31E9B7BC056A016920D586B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.882{D694AEB8-055B-60E3-A60A-00000000D301}65525568C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.720{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-055B-60E3-A60A-00000000D301}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.718{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.717{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.717{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.717{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-055B-60E3-A60A-00000000D301}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.717{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.717{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-055B-60E3-A60A-00000000D301}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.715{D694AEB8-055B-60E3-A60A-00000000D301}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.651{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9927466E7DFEDF26FB93774652DEA6B9,SHA256=E906FCE3964606879A9281F34DABBDA882486819BA3C5C1E84F04308710A1A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395454Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:59.667{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EF972FF884120A5997AA83EA55C188,SHA256=33BB3902C297AB4AB68E24B4B1CD1B98CEBBADAB76861722F69F78262A23937B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.097{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-055B-60E3-A50A-00000000D301}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.097{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.097{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.097{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.097{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.097{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-055B-60E3-A50A-00000000D301}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.097{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-055B-60E3-A50A-00000000D301}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:59.098{D694AEB8-055B-60E3-A50A-00000000D301}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001450382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:12:56.569{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000395455Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:00.667{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505A1477979F9ADC25262A2EE6BAEFC5,SHA256=44AF7206635865398CAF5FCFBEA3C85C6DC38AC7DEDF966CFD298215E64254A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:00.681{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84106F0DE9D149239F6921D909A3317C,SHA256=0B0665CE0A916B9B105E2D204989E3715B2FAC4844A5671CE717D0AB0FD4A9A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:00.318{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-055C-60E3-A70A-00000000D301}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:00.316{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:00.316{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:00.316{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:00.316{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:00.316{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-055C-60E3-A70A-00000000D301}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:00.316{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-055C-60E3-A70A-00000000D301}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:00.314{D694AEB8-055C-60E3-A70A-00000000D301}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:00.098{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0410CFE3C345190CCA6AC3FC4A87C35,SHA256=F41477363E4FED037B62FF5CFA472B8D3D39B11823BACD3DDFF2F932431CE598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:00.098{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E90D0FAB7347C648C04DFEB7402BF6D,SHA256=504196037224DE9DE87E2B5AAD873FD26CE39E1F485864697D5F7023350EDCAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395456Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:01.667{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE3B6F504DCC706D1DD7E2453D4A85F,SHA256=475FFF8407FE54BC2087B20EE0FDE9A613F5B107B5FC5F5C718F59F3551585AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:01.696{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30EB58A26FACFD885104E1EDE0C8BCB,SHA256=BBE5E6A84286D707C3F2E7F240B5ABA9F04AF99E0A05648B79ADE819FFE3DDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:01.349{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0410CFE3C345190CCA6AC3FC4A87C35,SHA256=F41477363E4FED037B62FF5CFA472B8D3D39B11823BACD3DDFF2F932431CE598,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:02.864{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-055E-60E3-A80A-00000000D301}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:02.864{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:02.864{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:02.864{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:02.864{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:02.864{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-055E-60E3-A80A-00000000D301}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:02.864{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-055E-60E3-A80A-00000000D301}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:02.865{D694AEB8-055E-60E3-A80A-00000000D301}6608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:02.713{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1803E65D01E07F6CD1FDDE6C271495,SHA256=80D2C7C8284ECFE61C15C8DF7C6E206938A42676F433C2230E8F74C96003F928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395458Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:02.667{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53867FF65C163869103E69352EBB19F2,SHA256=59B474106C60094E5C1E79B75F402DA75345C1C93781BEEF52DD06B8A8AC320D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395457Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:12:59.402{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53737-false10.0.1.12-8000- 23542300x80000000000000001450434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.878{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82E21A19F4FC0BB50A87F3D1F237939F,SHA256=C5DBB2122E22C2BC1AEFECAD6C788252B2E8DD28B07CF0D1041D54FCB91FAA37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.732{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191751A53D0E8870DB9741F998567CAE,SHA256=CE8341844BF4D914C4597A84CBF99C12D24E6B7432A4F4FBC80B94E58C8F5283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395459Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:03.667{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D4AB53D3743673EADEE569C73D418B,SHA256=6D1DE91B0EED56C22E85009DDE814E685624D3139D4BABFA1AFA9412CD390D58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.679{D694AEB8-055F-60E3-A90A-00000000D301}12725076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.547{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-055F-60E3-A90A-00000000D301}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.547{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.547{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.547{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.547{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.547{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-055F-60E3-A90A-00000000D301}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.547{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-055F-60E3-A90A-00000000D301}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.548{D694AEB8-055F-60E3-A90A-00000000D301}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001450423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.016{D694AEB8-055E-60E3-A80A-00000000D301}66087100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395460Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:04.667{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F219DF30C7117A162E0EB86C61A2EBDD,SHA256=78A883A2CF936A63B43DC7FD1DED8261B739BDAA46E8F988089146999F220C5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.893{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0560-60E3-AB0A-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.893{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.893{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.893{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0560-60E3-AB0A-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.893{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.893{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.893{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0560-60E3-AB0A-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.894{D694AEB8-0560-60E3-AB0A-00000000D301}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.746{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DDDE9FCBF72B16C401893BD2B68645A,SHA256=05AD13EE9716DF7AF26AE22E7027C19F286CCDB31ABE495C259A1E9CA6B45685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.214{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0560-60E3-AA0A-00000000D301}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.212{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.212{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.212{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.212{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.212{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0560-60E3-AA0A-00000000D301}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.211{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0560-60E3-AA0A-00000000D301}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:04.210{D694AEB8-0560-60E3-AA0A-00000000D301}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395461Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:05.682{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76B22FE9EC63EA29571B91C4FA4C8F1,SHA256=0FB7D5517598E78BD815C8BB76F6C9BABE83A471B261AE1151945BD3A4798FD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:05.746{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721D58B277719D0B961E85A127A61D48,SHA256=B5563DBE41DFA28C618A123B7F2702CB403B74532EE316087247821BD05121C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:05.247{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=847E8EC4F95934D3F7161C09476EE960,SHA256=BA0CFDF62E8563FA76B1FE048C6D52DB51F9E1F6FEB3273297802D3A76281DF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.165{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54353-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001450454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:03.165{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54353-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001450453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:02.568{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54352-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001450452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:05.046{D694AEB8-0560-60E3-AB0A-00000000D301}60485240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:06.761{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7816CF8239AF1FE80A4F6CC3B9544AB,SHA256=7670715822B03502B43F34A840150BE61AC10E4B55FF179F5086F8BA610BCAC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395463Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:06.682{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D258343AA801FE33C767B1A47AFE25,SHA256=529FB1D2ADFEB368559995C8F636FAC458D068DEF08D6457070A2D61C9876930,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395462Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:05.403{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53738-false10.0.1.12-8000- 23542300x80000000000000001450459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:07.775{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7DA7D7C77CE8851A3D0CBF2C5389284,SHA256=91CE23B378E923655421022BC2429F70FC5115E9B4AEBF307C033BFEFDEB72A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395464Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:07.682{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23CBAAACA7A5F02F45C032126D174CC,SHA256=E218855EA960A81ADE823525B3CF28C011D379D7CA4EBAFD1D88594C39DE8CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:08.790{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB1FC21A3D5B49228F5CE12E84FA4C4,SHA256=CFBA6F171A79F8D423F7C741111FAC44B2FF3601E64141FB4F90C5087A9206AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395465Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:08.698{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6062EE5A1D62130D09AA5874ADC3F8D,SHA256=506C33662CC92A4B242556704EAD95AA473DA6B0AD875DE750135E7FB6DF83A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395466Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:09.698{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54539843C0B8162629F82E4871607350,SHA256=4FC2182EFC06288E9D347CE0531CF36E334A5ECBA3DDAB40657C9C235F35AF57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:09.807{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2504F63BF91F17E3D1F260488F2C7B94,SHA256=5C0F627AC6127B19577B1C471245B2647D8C801CFF40E3992FC4B86448C225E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:10.826{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559E3E94029B4BE0004D5C7AB0B3E96C,SHA256=B294E893F6DA9B5ABFFE0880DE6530CF545E0C0E270934ED45D9860C3695740C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395467Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:10.698{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A3406A320F2B2AFF635FFE55E0E2DC,SHA256=2B3C92798CFEACBEBF7EFB2BE15EDA2BEBBCC71D3EE07D337756295751EC20CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:07.613{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54354-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:11.841{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA19B0A38E2896BFA40B6A926F3EA9B7,SHA256=D70941C1A7695D2231BFB950BB3CDC29401E51D74379AE307740DB1FC6E11DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395468Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:11.698{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8FE5EA16F4054B609BF31EB0AFA05E,SHA256=96F8A313C4949166AA2D0E80CB6E5BF9B0748C77ACF61DDB8F318ECA936F443D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:12.856{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54AEDCF3E319EBCB4C3ED9B7952232D,SHA256=6565B107D8D73F198D3477C96DB91B865C0B9DC7A9982592D6092E65EE6735E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395469Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:12.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7099E715269677994B55125E2716548E,SHA256=202611A685DE4DD45313CC865F9D189507FCB9F6F05F64F6EBB984F39DE5552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:13.886{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F45232DA7C48EEDC1388BAA8FB3A8D,SHA256=C6C267137E93F028B3385AC5E07C5DC8CCE5BF54C25BA0C1C5082A0B6D2C3367,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395472Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:11.419{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53739-false10.0.1.12-8000- 23542300x8000000000000000395471Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:13.714{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C31CB9AA040A4548E8E843E9B582BA6,SHA256=D7C7DBCE3504293C2ECC4B19432C806AC1F2CA183B9E1FF4D18F3886ABC62963,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000395470Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:13:13.652{7F1C7D0B-B3E4-60E2-1500-00000000D401}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7719f-0x82a8522f) 23542300x80000000000000001450467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:14.906{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC20818745505F281C97D64AC46D6167,SHA256=D3CD221A585D7278959187DFD7387B1EC5CF42EC72E9E60344DCF2B8D36DA356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395473Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:14.717{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819FBF0CB10EC57570551D1CFBD77EB4,SHA256=CD47BEEB3BCD2CA6FBD893B74DCD077046D2F541871E8ED4DD5BACA5D19CCD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:15.921{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6301E345E9C16BFDDEA0F152ADD4B9E2,SHA256=65759A4B5D25E77668F78B360B65A74B941592630CB78F0B0C168AC6A0DDA628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395474Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:15.717{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48137095874A6FFDE90C1CA51C75B4F9,SHA256=0F5AC691A2500EDD02CE56BFE2FFB75E350FE09235EA14D312A4C558E3723F8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:13.639{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54355-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:16.936{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF84DE52941C59A2F4835B43645C15B,SHA256=8122F9090924B3FC3C9FA57697D9038C44BFE37F4B8BA9FCE766AC28B4AEFCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395475Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:16.717{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2EE7C277A18C67046457E2CBD15CBC4,SHA256=29E55314300D8A5D036CA4947EC8B5462084729A04060609D04E242C7A4AFFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:17.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CFD7AF97854D70F64C4CE3DD45DE90,SHA256=7EAC4ED14634D6C686C43D19A9BB74B38DAED5F10C89FC8E992C69B491F9CD6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395476Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:17.717{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30794B20139CF666E98EA146DBD9DEF5,SHA256=E1B0F81B56A49E283A4709C6357FC2242AA26141CE608801430D38D41B27C38C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395477Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:18.717{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E3FC34B59D1FFD9265EC31D266C015,SHA256=74F860375E1C10FCBF8BE76F662DD783B65CBF5D95686437DED9124060C6500D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395479Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:19.717{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE312C48D21A38E48AA095F18628CA87,SHA256=4F83E5824E50F8BF2A90C225991CF1D2B89EF20FBE614F575FFCE3C206581098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:19.000{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6251965E25DC1EE7A1639951629C2193,SHA256=94EAC752D5B138B6EC024AB04B3D5945DCE5653D7B7A29EB472F6669BBEA9FDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395478Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:17.406{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53740-false10.0.1.12-8000- 23542300x8000000000000000395480Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:20.732{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF59D70D83B3393D963A45DA9307272,SHA256=03B5AA55A1ED4243768BF314AD7ED87589BE639C4BCC0A71FF500AFCA5A89D71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:20.017{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15DECA3299C843A3EB7E03B10EA23B4,SHA256=EC73A2E8EF4CD6812ABD575E321F5F81AD9BA3632D46121BF69B6068836ADE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395481Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:21.732{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4E8FDBF4576FED96838F96267E5DD8,SHA256=98065DAE41775113F08CF7804EAD2968F02C52AF654A29A45C0526E83EBDE8BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:19.652{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54356-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:21.047{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0C93D551BFAF5CBEDDEE881CB1927A,SHA256=92C79BF3D38976754926B25D37923B27C7EF6AED5636704AFE7005DAA881BD3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395482Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:22.732{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF11F3C6B6F55D30DD92F696253D747,SHA256=CA93357DD7DB2AD5A5DFB272B43BF99762B6064AB7DF692F6DCEAC821052A32E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:22.077{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E00D001F7AA13C748DE33C7C2A81BB2,SHA256=31F9FB2BD654B2CA311A3CEB858820F5573BD17382689E7AACB8237A6DCF1BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395483Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:23.733{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AEA25D5DEAF5508D0BD128F7DA4C97,SHA256=040752F104A7AD76CDC4572B783456C2B5642DFE1A094F99C24D3C73F0E39D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:23.097{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96283794DD617DE8C12C8BA73D90DB0,SHA256=549D3CB41CA4A08AE75474EFCFA285AEAD1A9E9A2E7261D588E4B907BF7AA258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395484Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:24.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D2FB6E013E250F886AFC92412A60756,SHA256=725B362433F7154BC6333641CBD55DD4AC6BCA04B9C142CB4D1E955058A668FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:24.112{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0797A990BBF7429CE301BEEC6F178D,SHA256=0716ECF53AA4ED8B448442AE99515696DF85ACD9DBFF9EE991FDA536C30CDF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395486Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:25.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4547C6F2FC3438743DD234C9147352F5,SHA256=467350455025FAD60E3D7FB59B0238C9A1AFDFF05FEFB0FDBA8E988A7C46328B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:25.127{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25ED5FDFDAAB522431CCA6CEB4B33F83,SHA256=49FAAA54FB0D2E36606BE7CE202D74D905EC9024E953956B1713EC97A87BC779,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395485Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:23.437{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53741-false10.0.1.12-8000- 23542300x8000000000000000395488Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:26.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA9BA2F4F0A40B34C011C27D7E545E8,SHA256=117611CD9F7A3AE5F2D5C0CBBEE3A2C20D4D6FE7D73F5F0911F2DDFB8895EA59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:26.141{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E14971B36BA27A738D63EA9697C499,SHA256=1D22BDA9F2AE86D1C92FFB1247F48C5A4EAA14C1837C5E97971F9A65C03CC740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395487Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:26.263{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E522046C4DEC8CDDB033B47392E0AA7D,SHA256=08F1ACDF2756C4D7F4AAA0CCE9A8D8BB39EA2E7D5DE7D5378A0904B0701E7B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395489Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:27.764{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1796F2CEFAC313813B7BB6278183288,SHA256=1E3D06815F74D9D17381EBAD136A3CFAA3C80D7912A81C5696021B204F2CE252,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:25.679{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:27.156{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D6D3FD950124B709CB16AAD846A28E,SHA256=351BD65063438256D7DB30E40E424FD74ED96D28E00A074B9624325CDB0236FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395490Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:28.888{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5701861DBCD0B0EF54C14FB2D9DF0065,SHA256=73A9F153629E2099E1705C067EE4C3252BC06546DF505BBC365EA6052EC2E896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:28.171{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A472A6D863D7C363ABEF93A159E014A,SHA256=AF52047C73FB668B87E0BE18CF128AAA6197AE59BC887EBB85CE2A95D288DE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395491Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:29.951{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2511607CDF8B1F9BB6B883FD753BD6D7,SHA256=ACCB274326C94C3BF446D277B79180E73D0ED412EF9C5B47612C7439880318EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450484Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:29.171{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139BC8C8ED944D2D9FD57D5127010909,SHA256=B2438C4295D800156E4FB9C72112C8EE73DC6D3DF495FB00C0E4DD5F47B21DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395494Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:30.951{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29AABB56A9DBBCC50327E6A6BB837E2,SHA256=B954012DC65A9F04A4BA12BACA59D09DB192F0282D70061594AAC9AA4BAA195D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450486Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:30.189{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C80F74A10284A02C6AF424686A2B15C,SHA256=E166735BBA452D9D516AE44147B685182AEFAE66F33156A9E58B94DA2442DD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395493Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:30.873{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395492Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:29.219{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53742-false10.0.1.12-8000- 23542300x80000000000000001450485Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:30.171{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395495Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:31.966{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBD557DB3FEADF86B6DB942099AD667,SHA256=32C1AE602606C1AFB6A7097AE26722D2EB66FEA0BC968DDB275C8EAC2A78F1D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450487Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:31.208{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DAA1711A145EE2B5FDAAD18BC7EED11,SHA256=75C9B66B23197AF9526458B782904D5A727E98112C8ADD14137D859F33C6E6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450489Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:32.222{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD79500A3D11B34F78BB2ACAF3C1565,SHA256=F1A666563323A8999F517D4F329A24F7B0D64D3B102C83AE90781DC9AC2F82EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395496Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:31.047{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53743-false10.0.1.12-8089- 354300x80000000000000001450488Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:29.610{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54358-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001450501Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:33.821{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=13FBC43573D90EA59E67E3B5213D577E,SHA256=FDF28817AC8E243657E0D77EC496B9BF31A0B37E8519C8D42D9A73CF00E619C2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001450500Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:13:33.337{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001450499Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:13:33.337{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x013ebbc3) 13241300x80000000000000001450498Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:13:33.337{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77197-0x2c20b5e9) 13241300x80000000000000001450497Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:13:33.337{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719f-0x8de51de9) 13241300x80000000000000001450496Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:13:33.337{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a7-0xefa985e9) 13241300x80000000000000001450495Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:13:33.337{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001450494Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:13:33.337{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x013ebbc3) 13241300x80000000000000001450493Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:13:33.337{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77197-0x2c20b5e9) 13241300x80000000000000001450492Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:13:33.337{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719f-0x8de51de9) 13241300x80000000000000001450491Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:13:33.337{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a7-0xefa985e9) 23542300x80000000000000001450490Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:33.237{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=957FBFC5784F69F6FA1CE8B215917082,SHA256=C0A6FBD96A7760013FA511C26E165E82785B0BEDDCAB8F1E50B25E2C7794EBDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395497Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:32.998{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2197D702BBFBF9DAF24367F35DEA4778,SHA256=548C787EA4C3C6C4A7196588C6214C18C8D56DD8C3B8908D03F8F29CCB789C3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395512Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.763{7F1C7D0B-057E-60E3-1B0A-00000000D401}28603160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395511Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.560{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-057E-60E3-1B0A-00000000D401}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395510Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.560{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395509Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.560{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395508Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.560{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395507Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.560{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395506Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.560{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395505Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.560{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395504Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.560{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395503Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.560{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395502Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.560{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395501Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.560{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-057E-60E3-1B0A-00000000D401}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395500Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.560{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-057E-60E3-1B0A-00000000D401}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395499Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.561{7F1C7D0B-057E-60E3-1B0A-00000000D401}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395498Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:33.998{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4F669A8D6E8ED551655A701DD84EAF,SHA256=6F2A239093CD65121A799AE91892E20F197A0569BF0000B2A2A6E33A1CA00533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450503Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:34.251{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F0F9254B5C62C9A879AB79CF75F36F,SHA256=AACAFB7DA0223A767C8AAE47E05DF30137809792CC94D5883132810842383B6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450502Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:31.461{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54359-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450504Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:35.266{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747F5A526FE9E46AED8033B3268A5BE2,SHA256=F4484891AA74F65D2F42BDF2ED2E80E3A903A87EBD03EC0FB6110F4B643C4815,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395541Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.904{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-057F-60E3-1D0A-00000000D401}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395540Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395539Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395538Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395537Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395536Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395535Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395534Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395533Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395532Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.904{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395531Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.904{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-057F-60E3-1D0A-00000000D401}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395530Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.904{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-057F-60E3-1D0A-00000000D401}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395529Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.905{7F1C7D0B-057F-60E3-1D0A-00000000D401}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395528Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.576{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67975C952501E6C2ADE0456D59C61D3F,SHA256=333688081471CA3392BD9889073F0A2938A6764302E325F74345B3E7383274F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395527Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.576{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=035EF493787E9CD7C04D167283479EFE,SHA256=724ABF62B14F8A255340A7A76625B1DC75F751F408C20B1F8077622496275E8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395526Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.232{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-057F-60E3-1C0A-00000000D401}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395525Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.232{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395524Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.232{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395523Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.232{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395522Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.232{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395521Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.232{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395520Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.232{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395519Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.232{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395518Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.232{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395517Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.232{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395516Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.232{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-057F-60E3-1C0A-00000000D401}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395515Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.232{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-057F-60E3-1C0A-00000000D401}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395514Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.234{7F1C7D0B-057F-60E3-1C0A-00000000D401}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395513Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:35.029{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF3448EE85ADAD6C4CE29DFC5DC53B9,SHA256=CC7E7B88E0E4444AD4020AD20A1F39655F881FDB32891C465AF2F5FABCB3664A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450505Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:36.283{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA311EF00E75DF799C4F8EB79F4FA457,SHA256=1949B34133A0844B9D311C4238C7DB523E07D47247909287B4BB3E16D13E563A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395543Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:36.326{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5D20441869323404ABA04D0A96C7B5,SHA256=965455BFD6982F70DE80F5C696AE9B8818D668AD126C0701516386F2D2C81C14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395542Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:34.282{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53744-false10.0.1.12-8000- 23542300x80000000000000001450506Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:37.316{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED3F75D711FE0951994B6458ADFD7AF,SHA256=7CF9A4485384A055C2B03868EB4BBF2CB7D105408A7E37C282F8F25554C01997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395545Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:37.373{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220AFC0EF4BBECA5DDB50E7C73935C87,SHA256=A48097FDE6396754C024A62D1EB020BFFB690A202F23ED8A895F1599669C7EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395544Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:37.029{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67975C952501E6C2ADE0456D59C61D3F,SHA256=333688081471CA3392BD9889073F0A2938A6764302E325F74345B3E7383274F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450507Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:38.331{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC62852B784237B2B7CC1FE8AADA9AE,SHA256=8C59DDF6AFB3937CDBC13C51A0294C2729AC15A05C0D2F40C348F3A37DA4CB6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395546Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:38.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFD36BFA052F3054A38129C2BF3A0FF,SHA256=E732F41CB4FCD8A7B6F3625AE01543FFA985C517F143EF0B8A5672E5CCA600CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395574Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.982{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0583-60E3-1F0A-00000000D401}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395573Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.982{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395572Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.982{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395571Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.982{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395570Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.982{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395569Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.982{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395568Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.982{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395567Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.982{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395566Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.982{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395565Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.982{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395564Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.982{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0583-60E3-1F0A-00000000D401}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395563Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.982{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0583-60E3-1F0A-00000000D401}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395562Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.983{7F1C7D0B-0583-60E3-1F0A-00000000D401}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000395561Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.482{7F1C7D0B-0583-60E3-1E0A-00000000D401}14522556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395560Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0BB7DD40B57FDC7E18E30728658A86E,SHA256=A35FD312B577A4253C4D640329C63057D2B11D03FB281DB8D1F0CB670756CEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450509Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:39.345{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E14AEDBCF12219F03797D82C3ED8A9,SHA256=322E81D7F830ABB1D694C78C0544990D3B8A0EA53F4AA08BCEB45A947E8A4EFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450508Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:37.485{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54360-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000395559Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.310{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0583-60E3-1E0A-00000000D401}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395558Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395557Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395556Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395555Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395554Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395553Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395552Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395551Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395550Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.310{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0583-60E3-1E0A-00000000D401}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395549Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.310{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395548Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.310{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0583-60E3-1E0A-00000000D401}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395547Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.311{7F1C7D0B-0583-60E3-1E0A-00000000D401}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000395591Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.810{7F1C7D0B-0584-60E3-200A-00000000D401}33481944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395590Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.654{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E38CF59AF07E092DA2FED19BB5C3A43,SHA256=3E5C241F092359D9045AD5933C440C6F0E3CDF6256554AB14CF5D2F5FBA6452D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395589Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.654{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0584-60E3-200A-00000000D401}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395588Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.654{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395587Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.654{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395586Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.654{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395585Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.654{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395584Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.654{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395583Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.654{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395582Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.654{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395581Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.654{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395580Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.654{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395579Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.654{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0584-60E3-200A-00000000D401}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395578Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.654{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0584-60E3-200A-00000000D401}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395577Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.655{7F1C7D0B-0584-60E3-200A-00000000D401}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450510Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:40.360{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C574BDD232AC097E7E472639E7ABE4F,SHA256=D4D558385D0D933B1B8DA573D026D4A084FCF9F7D9E4780F5867717C04D2FA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395576Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3002A81E8D6669CAA629E79B703C177,SHA256=B051EC8B370BD4DBACF01203B280B610ACDF26A0AD27550D3E3BB07956BEEC04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395575Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:40.138{7F1C7D0B-0583-60E3-1F0A-00000000D401}24003740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450511Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:41.376{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48141B3FD7C4C284E1AB58B72354C786,SHA256=563989DE51C4A55325569B15A33629D8AE534313FECDB1D6AE7E941D37522E40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395605Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:41.326{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0585-60E3-210A-00000000D401}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395604Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:41.326{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395603Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:41.326{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395602Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:41.326{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395601Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:41.326{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395600Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:41.326{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395599Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:41.326{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395598Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:41.326{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395597Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:41.326{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395596Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:41.326{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395595Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:41.326{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0585-60E3-210A-00000000D401}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395594Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:41.326{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0585-60E3-210A-00000000D401}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395593Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:41.327{7F1C7D0B-0585-60E3-210A-00000000D401}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000395592Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:39.281{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53745-false10.0.1.12-8000- 23542300x80000000000000001450512Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:42.395{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD18A55DA35DEB92B741200F40AFFEC,SHA256=5F7E88783127C60444364DB4675592EC424A121E9D6F59E9A57CB01B99A3ACA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395607Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:42.091{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE555CBC5ADB3F776A48127921D912B6,SHA256=A5BC4B712C231F92AD973907727FFEF712627E292909F5ED712E2A5A8C345DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395606Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:42.091{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E90E752E1B3646867C93905BD10FC0C,SHA256=2F7BA617C4A67528092E1FDC3F49EB789FE209C296F9922C8AC0E3A76E012C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450513Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:43.409{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17721EA4F8C12A67542DCCD102DCCCA,SHA256=08B7DAC128DB916B969F4296672BB2C6F16C7008F80FA11B205C0A3DBFB74DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395608Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:43.091{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ABADA15F7FC0B4BD92FEF408C706EB7,SHA256=6A7C7DBD33CF0AECA2655F557DDB5A1B695DEC73D8A41DCD2B3A0AF30566CC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450514Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:44.440{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32338863639708AD8767F4839DC6CB84,SHA256=D38D14546A1CB4E8F7BA238A00047A3119AFFDC4DD05946B895230FB987BE699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395609Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:44.138{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E71E8DE1366FA1B55D133F786D4446,SHA256=6415A44E1C132F4BB4BE6F9793BF58128E204E2823A3F8C5B9D7945BF2EAF303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395610Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:45.138{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB269B4CFEB340530A8B93A59E7BD64D,SHA256=7A80CACE987306721D67CF561A33C7B8E72EE0883012E2358C0870ADE3BD0C1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450517Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:43.509{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450516Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:45.473{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFF315EF31A69B99A316E5C402AE724,SHA256=657A5A6735EAD75D9F1423F59576B260AA4067ECBC645C5D513A34AB7D24F4CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450515Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:45.139{D694AEB8-B3EA-60E2-0D00-00000000D301}9166928C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395611Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:46.185{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34E94B1C45058F393FC2F68A8432ED0,SHA256=45F7D7D1E89C2CB88E29348A5405BAB6AD93383A016077ACA37DC7ED60713584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450518Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:46.474{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A974673CCAC1A96BF556737B19E9D7CE,SHA256=8C48C16009042F00A838D8D4BF8DBA03B023A56196B03555FA77E6A05C691D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450519Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:47.489{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25F69F07FF19426173EF83B0271E7E6,SHA256=406B0AACA30B6EEBAEBCE171F80520F4A519BFB733CE9B9BBC2B92FD084BD76C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395613Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:45.297{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53746-false10.0.1.12-8000- 23542300x8000000000000000395612Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:47.357{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7833EC38EF977D422FA74AEAF7DB0853,SHA256=C39CF7F6FBB04494DF2B5A0A10E6B4F456FE72B3BC78EC1358E918C1FD0FC6B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450520Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:48.519{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E0E77A5411D9A2744A1677267E83925,SHA256=8B4310AD28792E693BEC21C1D86F0F1A16FD49BF12B047CF3DB3CF4CF079161C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395614Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:48.357{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE14D2683B510ABF1D17BA8D468B691,SHA256=BA436BD34B75C31A00F6AA857E623C37B9A59C839B0091DCA2877C7A78A938B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395615Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:49.357{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F94F86DCB4609870BD6DF17BE97D65,SHA256=9B9CB5BFFFBCBFE44C0EC04F59F2CA8AEE36CAA3CDC6B5EA4CD73CA433838C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450521Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:49.549{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7F5AAE2D3F0C3DE4492CD7D70EC006,SHA256=C6DE49640F0D911F1A53986869EF7E74CA04964F5830F0DD84F669BC4B22B5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395616Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:50.560{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A1D520EF60574980C13C0F5873E95B,SHA256=825E1E24BE68D92DDA5893C5A2B7317F16AD0683210A10157440F75B053BFB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450522Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:50.566{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF7BCA0954AFD7CABD3A43EAD85E774,SHA256=9C09AD61506E6F62DBE88ACE5D7789451DEB8DD6411259E0C0665027606B1EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395617Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:51.576{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F484150C481FBF2C76F45B34DC37422F,SHA256=0432C583D930CF861168563EE1F2DCCEEA911EAD472B43F605A8711017BBB75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450524Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:51.584{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4929E2E11E82F6526B75A254FFEBFDAB,SHA256=6A9068A758F38CB1A0E059A4E8C5AC608418717AF46E64E8397137C9411426F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450523Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:49.502{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54362-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000395622Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:52.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60A7199738BDFDD078D2E9788D2C6239,SHA256=C4BC062EF71D6135270C2500A6D58CAF39A1EAD0D66238FAA019B93D17EF7694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395621Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:52.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD76CD8CEB673C95EA5032CDC2E8D3C7,SHA256=10EB12F02E2B01663448AA370E817919F9730B2591B23DC5D1EE1A68C64621C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395620Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:51.760{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-59852-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000395619Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:51.250{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53747-false10.0.1.12-8000- 23542300x8000000000000000395618Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:52.623{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE582E2BEF79017313FD76E865456A45,SHA256=4FD5F6528C7D9998848CE3E5FD3FEDC62C3436C3856F9D6BE78F1A66F4F9336B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450525Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:52.599{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24EF08643155A029E7D18A290212525,SHA256=BD94EE2E363F5743B6B8C8D862264E2AE54A68DFF16E0ECEF5346C648B34B4FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450526Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:53.614{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAA3231A48D4FB960ADB5EE947FE5C6,SHA256=0D11C78AF53C74ADB944183C1C2E995F0AA668BCAA00311397D6B7AE416E390A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395623Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:53.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A632D1017AF47EF9375EA31C19E886F6,SHA256=7087A5AE3AD0FB1F6FCF1B1A399ADDEBB1B76612D9B0FA8C01C3D2C4AF3428CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395624Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:54.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467C67A2C319CFAA1E86672D04E3DBE0,SHA256=A96596D4136BB2040C729456E26DA276AFD76D6EFAD14B55C9CBE60B700C2801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450527Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:54.628{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29670ED682E680BFCE12357929D7E5AB,SHA256=6348CD3F9665DF4E3176EBE15D95183F2F59B26915556966C673B693E5BDC305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395625Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:55.717{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC5983129BEB638BBE7878DB55898B4,SHA256=39373554289F87491105EE85B7FC7F679B07CF0D92CDE598E32D727478F037C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450528Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:55.643{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECF908C3B608667157456AEB228C99B,SHA256=C2511889304968AD3B274AEFBCA86B6B250CB5E08297A7BEAA821B4A7D0E551F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395626Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:56.763{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0104E88B926AFCC3BF6637C6D373875E,SHA256=AC209BDAA7B5D121CC7379D37B22294B8FDFC002A14EFF308A870CB1819ECEB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450529Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:56.660{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99AA333C7E87372A9A406EEADBA9EF6D,SHA256=0B6D4C1663E62C303F142EFF620DED6AE34026D83DE19DACD7B9C492E53A7E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395627Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:57.795{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389F79D8659FD1A357B3BC7E918CF969,SHA256=8C22CD10987C7A37E8D70863AEE8F42F0D3F4CE7531166925F6B888428E23F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450531Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:57.678{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D86A8ADB302BEDFFEA81257C825F5A6,SHA256=B5D43E1B36FF47B06F32A2F1AEFDBDA214D5623A4EE3DC992E852AD23DB45E48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450530Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:55.496{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54363-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450532Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:58.709{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5598C14C11DA7A69325D5D4AE27B93,SHA256=05BF247E312E05DD2B44D27471832342A00FD506DFFFAEC1CF86DE0C69706B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395628Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:58.795{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39DFB0F8D71279C6CF2AD62A817E0CF,SHA256=29C427D9D799ED359185A2639275E206AB0607180D0D033E2F3AAA213DC768CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450550Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.877{D694AEB8-0597-60E3-AD0A-00000000D301}55726516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450549Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.739{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C05FE088FA861DDC48120DC6190B584,SHA256=C620F3501C193257B368ACE7D5E08C638D18D1288787830C9F699B0BD90150A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395630Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:57.234{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53748-false10.0.1.12-8000- 23542300x8000000000000000395629Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:13:59.795{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E701DBD0A5FBC00A2BC75F644EA35B7D,SHA256=0B7DB84EDA4424B39CA2C35F6B68E04F5210647380AAA08FA8E5BA2FF222030E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450548Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.724{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0597-60E3-AD0A-00000000D301}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450547Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.724{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450546Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.724{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450545Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.724{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450544Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.724{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450543Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.724{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0597-60E3-AD0A-00000000D301}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450542Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.724{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0597-60E3-AD0A-00000000D301}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450541Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.725{D694AEB8-0597-60E3-AD0A-00000000D301}5572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001450540Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.077{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0597-60E3-AC0A-00000000D301}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450539Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.077{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450538Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.077{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450537Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.077{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450536Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.077{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450535Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.077{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0597-60E3-AC0A-00000000D301}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450534Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.077{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0597-60E3-AC0A-00000000D301}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450533Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:13:59.078{D694AEB8-0597-60E3-AC0A-00000000D301}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395631Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:00.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C09D427508C78A579F5FB45F4E6DC3F,SHA256=AB9AF8711E03B1937E19ADA5DF215B643C76E973FC2AB8E1815D0F7E42839816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450561Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:00.792{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683D32F0D772B800B9C52FFAB348F40D,SHA256=D7684F149DEC1BC2970BEE9837DE97084C5666B816FC4FB0C6EBD33D19BF1139,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450560Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:00.392{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0598-60E3-AE0A-00000000D301}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450559Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:00.392{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450558Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:00.392{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450557Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:00.392{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450556Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:00.392{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450555Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:00.392{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0598-60E3-AE0A-00000000D301}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450554Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:00.392{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0598-60E3-AE0A-00000000D301}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450553Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:00.393{D694AEB8-0598-60E3-AE0A-00000000D301}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450552Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:00.092{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D1990B7B96D7451834994433C52517A,SHA256=9A0A11906288AE3F8E805A28E8FF4294645B8AC8D1EA886B3D5F2B601820B416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450551Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:00.092{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A936589D9C6238D10B4F8284DBDDBB24,SHA256=1D006189284A8BFB08D4DA3F9D488A0E47BEAE0AB550FFD0C51AD3CA614D6802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450563Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:01.806{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970371B20777370A1E39F6E1EBA578F1,SHA256=4A0F7B858741411B6B32F7B2A507AB145DA70CA98311755D2E8705A4E6D234B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395632Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:01.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF7ADEF41E8523331034907B4C8746C,SHA256=0859913DB4B24804D3411B2599B31310645F4A4D7B24980E866CA866D4589F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450562Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:01.538{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D1990B7B96D7451834994433C52517A,SHA256=9A0A11906288AE3F8E805A28E8FF4294645B8AC8D1EA886B3D5F2B601820B416,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450572Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:02.874{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-059A-60E3-AF0A-00000000D301}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450571Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:02.874{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450570Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:02.874{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450569Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:02.874{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450568Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:02.874{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450567Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:02.874{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-059A-60E3-AF0A-00000000D301}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450566Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:02.874{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-059A-60E3-AF0A-00000000D301}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450565Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:02.875{D694AEB8-059A-60E3-AF0A-00000000D301}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450564Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:02.821{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1CADFA9A5B24DAEC6D0BE67B4DE8E46,SHA256=E98A57CDF541BB49A8F4D7472C36527BBA26502E6296F034C6624947609DBDE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395633Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:02.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6518D81395599A7508F51D91772034,SHA256=A256EE55F6916F92A12E2DC25E1A664485D07186931ACB652A7EFCD1324C54DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450585Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.889{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE58F2C00D21AC4025040AC042727888,SHA256=B260BEFFD6B5B962706EE83079DC7A15B514269C69DDED129F00783FD1C5ECD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450584Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:01.492{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450583Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.836{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E540E601A31837B4945E68CFDF9B6EEC,SHA256=BBC678137DC3A57323FC6CD7FC5676436BDD7A136791C02511E9BA5AA25F276F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395634Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:03.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E11F155988A564D85B8D4C835EC8227,SHA256=BFFF6437E910C7DBD2A226A196CF5711C6ACCABC1CC629CE93846D75BFC63B45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450582Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.690{D694AEB8-059B-60E3-B00A-00000000D301}16283148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450581Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.536{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-059B-60E3-B00A-00000000D301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450580Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.536{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450579Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.536{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450578Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.536{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450577Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.536{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450576Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.536{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-059B-60E3-B00A-00000000D301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450575Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.536{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-059B-60E3-B00A-00000000D301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450574Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.537{D694AEB8-059B-60E3-B00A-00000000D301}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001450573Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.036{D694AEB8-059A-60E3-AF0A-00000000D301}34485232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450605Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.957{D694AEB8-059C-60E3-B20A-00000000D301}49564584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001450604Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.191{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54365-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001450603Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:03.191{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54365-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001450602Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.888{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A45B51233496539F1010DEC4A812758,SHA256=3194CA3D2DBE54EB4F4C4CF6977D8EAD169C1A10DB6A175E94FC1D7330001950,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395636Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:03.234{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53749-false10.0.1.12-8000- 23542300x8000000000000000395635Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:04.810{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FADCF4318976248098A3EF2FC7750AA,SHA256=A70683EC67F33EEC1E452FD0FB42D2DE8E6CDE0369ED8DDF3DCB32C01CB1AC60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450601Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.788{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-059C-60E3-B20A-00000000D301}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450600Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.788{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450599Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.788{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450598Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.788{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450597Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.788{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450596Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.788{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-059C-60E3-B20A-00000000D301}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450595Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.788{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-059C-60E3-B20A-00000000D301}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450594Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.789{D694AEB8-059C-60E3-B20A-00000000D301}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001450593Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.105{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-059C-60E3-B10A-00000000D301}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450592Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.105{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450591Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.105{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450590Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.105{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450589Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.105{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450588Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.105{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-059C-60E3-B10A-00000000D301}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450587Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.105{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-059C-60E3-B10A-00000000D301}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450586Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:04.106{D694AEB8-059C-60E3-B10A-00000000D301}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450607Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:05.903{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AF464656C4F93C34F7B6B92DFBEA78,SHA256=1CACCB1C259D650CED4AA7B7F450D4BB711DD52B1D641064938AFC48A5E9FC01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395637Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:05.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99618B450FE07EFB3E52A034A0D3426C,SHA256=A573A9B25AC58D485D84341D38F309898548EEF2F52669ED4866247647742A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450606Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:05.119{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C5B0A4E29CA200FF3993BDE271A6A61,SHA256=158B8EF06678942E0762E1EA4FC215F7A3AAE92DB8E1C681DCA6A168309F40B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450608Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:06.917{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC92A67EE50A749B852A406202191703,SHA256=016826915FD9ABAA2844839CC0DFC19F774EB72E4F50104B24C3F5F33D7EBD1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395638Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:06.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775AE77F60BD7FA8E85675F3971534B3,SHA256=A298647567AE30AE768DE224B4FFBE2D2664A0A35CDF6EA1EB9D28598E42AE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450609Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:07.949{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F597F5BEE2D822DB4E023AB6639171,SHA256=EA3501769A2C8915D503653D7DF9808EEE815B4ED63F9FE259466168F4CE771F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395639Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:07.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E81B548FCC2B7EFAD58834C418C8A2F7,SHA256=82791856C867F4F160F962D6C40733864E6CD455A0BC3D15D017ABB29654E6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450610Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:08.967{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E102090B2542960C00847249B30241C,SHA256=480D8EBF76E056A5B92E9AB4256E145C2D79FB0A74312ED3FC9251BD66421D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395640Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:08.841{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229137F44BFD5D66FEB864A296F57748,SHA256=3362C77B649067987764A65E3A8B66CA2ADF91B6248D0DEBFF0A6E926336E97B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395642Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:08.438{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53750-false10.0.1.12-8000- 23542300x8000000000000000395641Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:09.842{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BD9D49A047343D79119983E0F2E5A6,SHA256=200688D63401EC987D5C18C138A129B6070ABE8FA5F1364015A70DF37EB01821,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450611Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:06.502{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000395643Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:10.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166C71899F0372AB42C73A44B0BE07D5,SHA256=E8F30FE124CC503E974C9E63501F8DF5B6C7BD22F9FCCE5ED23915EB10FCD7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450612Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:09.997{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4237C349229C76D98443F7AB43B6237,SHA256=7D008AE1077AC04CC2AE6E889108F7B1A53F6DBDD4833CE03A745E352EEE0D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395644Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:11.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D5FA60D3D7F91D673EBC1C8360E7A1,SHA256=773032B005A7F7BD0B64F2CCB7AF2DCF5DD6DBF3B79C4158DDCE70AD551409EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450613Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:11.013{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CAAEE0855CC758BEDE9767082F06526,SHA256=0F739B21F3CE563033C2178FF326ADEF7B76E8EE2549850E39DD25A14CA82C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395645Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:12.873{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9723812DDCD57EB562203928D4D33CF,SHA256=470EB28DFAA42D5D61F8BD4ADEB8FBC8E87A8DEAEC36AD6D1B5B5970EEB9EF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450614Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:12.027{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20F531A8A72BB16A926E5368EC1B5E4,SHA256=76BD7BD5B94EAAAD1DA29FB10E542D89D73024AA6A1E1BD37F19998569AB04CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395649Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:13.874{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACBC0BB6CED0BCBCBEE37399FB5F05C8,SHA256=4CF3D90B4B5772585670B5BEABD5E8AD705FF613FDEF8B488C18238446FFA4F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450616Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:11.519{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450615Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:13.045{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6D2FEFAE163313D61D814ABE26715E,SHA256=8BF0FA996CABFDC20B66DFF0DB2F6F2F2C23327D176386EADBDF20A1303B6409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395648Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:13.515{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1207020DB256C92D02711829C49AB07,SHA256=DAF6DB44DE6C911D1678CBA6EB68D1A2415CD20355F6A7EA1F94C3F3EAFFABDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395647Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:13.515{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60A7199738BDFDD078D2E9788D2C6239,SHA256=C4BC062EF71D6135270C2500A6D58CAF39A1EAD0D66238FAA019B93D17EF7694,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395646Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:11.863{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-45468-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000395650Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:14.877{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD187DF10EDBFF95C169CA8EB06B96DE,SHA256=3AA007467256262EA2B03CDAD1D285361403CA0D440F21CD0E7CB2DA67E73BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450617Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:14.064{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B015B29829576C92A5BAC1598FC99B0E,SHA256=17D5201AA691A7F81DE70D62F2866793EBA15659204B85C21CAA3A64F9443644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395652Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:15.879{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376F5BC82A528DF8FE2662D8C73A54E6,SHA256=18B3F4968121184B676ABF5C097E828918E2DB8E5519E3B6E1CEDEE0486A0A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450618Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:15.094{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7891AB13D5D22A9415B7583F950399D,SHA256=D67BB68896755B72ADDCC9608870CEC0D4F22C3AF7CDC77DCE87C1C24EE69AEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395651Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:14.395{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53751-false10.0.1.12-8000- 23542300x8000000000000000395653Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:16.879{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2D787F8927A68D9278482D7D19C58A,SHA256=3588AE431D75B6F3C9F3257AF51804282BA5B5D5E852D88FCE4A0824972CDED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450619Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:16.109{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0E52DBD6ADC1981F29A91D85BAC956,SHA256=7801C36E028089C4CAA2DC82B4C7F139FBA9FB3018BD9C0693AE8AE73DAAAE7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395654Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:17.879{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDFA47D463771C32700E1E5943C8221F,SHA256=E28442EB2D65E60A891539295F9A7C9B936E4088B255F208A1309A1088A0DE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450620Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:17.109{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0AC2704982135F056F9EE4CD57C7BF,SHA256=2704F5836A5F4981711B9427916E56E2E1067A5B970263D130DE238F859A8FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395655Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:18.879{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E5A46C9D3274D9BF4C1AFF1944054F,SHA256=1BED01822B27A9FAD2549171610216A08D3035B0D2EB72BD1C6721194A5A84BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450621Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:18.122{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905FCEB9EC7C7AC9BE8A74D990096980,SHA256=1326315AF9ACC5318D32F5534DC061334030BF1A84E98D9792F2A652F2B3003F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395656Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:19.895{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA1BA12FD796A5C41979DC382DB28B6,SHA256=9A2896899F8E18913D017C48698179182E30723F6B6732D960E61FABD5A009DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450623Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:19.140{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=989610B6B5861861E5FE24D8979609CE,SHA256=A34C96CABC24A3B09FEEBEA2FCBCFD65CCE6C41CC49537BF494DE0FC32251A48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450622Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:16.546{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000395657Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:20.895{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D4DB84924D70E19FCC65624A195323,SHA256=3CD6E7A86B325F21735568D2F933EFE5B62919FA65DAA26FDF2B0A67F3B56B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450624Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:20.158{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C791CD632E9407F6DF25DBDC7E259E,SHA256=0EAE4F8A2F7D7CE34309D4DF726184CCB3B3D6B4B61D3BC851694E1B6A739F2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395659Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:20.366{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53752-false10.0.1.12-8000- 23542300x8000000000000000395658Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:21.895{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38FC54C2A058EBE010E6C88519F026EA,SHA256=0917DC54F570B1AECB53821AC563AB58C9F46414D5A7F107ADAB459B04FE38C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450625Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:21.174{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057270D795538F02F60D1B21F4CD72DB,SHA256=057D8541C8BFE0B9CDF2EC07FEBB4825C318A4CAF82CF1296C2DC75AD3DFD6EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395660Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:22.910{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C688487E9C1A0650EF55DC4CBB7DC078,SHA256=FB24F485E45E40317B5C66BB26DF47BA021C06E896ABDF587CE8454B8D778D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450626Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:22.188{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6615D9E67681C36081E3ED30431FAE6E,SHA256=572BC4EADB95A417CEC1728B9C5353855E032FE56E574164A16CD064E7AC7B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395661Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:23.910{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F1355C748451D189F4FF4547AF0E56,SHA256=13EFD725F04376DDA99724F161414BEB0E62A43B7A190F20C26DEC78AEA5BA86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450627Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:23.189{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC3ED47BA4A4A721E76564B89DDF3F4,SHA256=8770441797BAD072A1FA347F87692F6066120FF4D6A0349CD84488DA235AE30F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395662Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:24.910{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28851ECC16BD92C5048A1143952E518E,SHA256=894885917D03DBCCD2E3C4C167B54B9339F95BDFA31FF168208C4AE2C98CF814,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450629Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:22.574{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54369-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450628Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:24.203{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBEF4D74DC591565B5CB01808FD3B61,SHA256=D853692991CD449D90768CF487649A1381FE3D9ADB52D9CE6D4F54E4F243E99F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395663Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:25.926{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01E742C7400A77BBF74203939517EDE,SHA256=FCD8A6624D1D6979AC550FEB4777CA9D0525AB15EAC31C5568E70B02676B7BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450630Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:25.217{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCA949F2A1CDD3B2C4421C09981068C,SHA256=E29366F5C0A5287B583A8EB52E3074EF3D46500052FD02DA33B8D8BF51050177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395665Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:26.926{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE611D5BBC23EC352D6B927336CEE38,SHA256=023562113DDDCE21BD1DDFA1FD1A99FC95F7CAE5F5A7134CDAACB0A4D6AE4DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450631Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:26.235{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164287B36AFCED778EB65C3B5CF12D4F,SHA256=AEA405439A457C940D6F04F4987B09C6FB26752E2BE2EEAA9029E4BEFF78644F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395664Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:26.270{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CD545D63641B5E27BCB92AE42CB2D99E,SHA256=AD305AE29D0EB04039718CDBC19B553EA301EFFAF3E3D11D2585E1C3111E90F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395666Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:27.941{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C55D29E543695436726822264E8CF0,SHA256=84F1F72BCA684A6F2B4ACFC3E735523464C95CCF35788503C0D150C3244208CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450632Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:27.254{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC7F4014AF5D1931F2E190545FF5CC6,SHA256=1665DEE12F966772C515A765B53331641ADF457E62324017FA113928178D7750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395668Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:28.941{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6F18A6EF598F9FC21C1ED0D0922500,SHA256=0500F2882312FB3153107368EB5E3D4AC198DD21CA8F87D42670EA201DDE2918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450633Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:28.284{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896EC03F123B72D95CF4814205524FB3,SHA256=4CE7FBC11CE616B9C5023B1F97DB81BB973289F2D36152710D2A0C00D1453FD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395667Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:26.335{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53753-false10.0.1.12-8000- 23542300x8000000000000000395669Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:29.941{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1950B6F1E1785D3178BC00BA99486532,SHA256=BBC69FD4C6861C18E7B99E4046A6E0E42FA95CE6297A2BAF3C1037D1C2D3E096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450634Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:29.298{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2C4D8051CEF849C9D6040CFA4B562C,SHA256=382C909240D52B5CA7AC305520A5214615CF2C9F121567EDF4CDC792DF1C7878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395671Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:30.957{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E15A4608FA74ABBD62C01DBED51E21E,SHA256=4571B2597630E15849F1E7927828AA77D990FC751B813D79217C0F1875DFEC18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450637Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:28.568{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450636Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:30.334{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789DF413A43B4AF668B65C3768A62989,SHA256=29EEDF668BF70468392A8FEADC67C909E49D8E6C63052B33319578E8E43BA9C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395670Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:30.895{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450635Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:30.181{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395672Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:31.957{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B908E4785C944034191D14342C17353,SHA256=55E471E367CE0FA73009FBCC725562D14D581B3AE333E8D2548FF72E66A2F036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450638Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:31.380{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B733E6810F9607B796EC8F39F6E8FCF1,SHA256=AF6570BF44001EDC4C0770BFB8BB2F43AA497309E1B582E2DDAC56536FD62A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395673Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:32.957{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1FCC8ADF12181650A0374A544491D9,SHA256=15AE73981A9E55551C07AA646133BFE5C6A573E383A458F9278032D1C57D7AE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450640Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:29.635{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001450639Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:32.395{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5C847B96CE9CB5C2CE14CC569FF637,SHA256=3FE47A83809EC3D0F32D8F736BD970F41CB7BFEFCFAF6D17541A64EF1D8AE621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395676Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:33.957{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5159B7FB3EE1AA71D3521E9671B88FA,SHA256=3B8BE761554615527955990B14E1BB39BEC620F16B912A9F4A9B5164229463E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450642Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:33.825{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=94C501110A33E96A68864AE0B8EAB8A3,SHA256=1648D1925928313461570EA8B7760C5FDFAC5D4F0BB790FFF85B9A00E1610D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450641Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:33.410{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0867EA0B76F41140E2AB9AEA8831AF3F,SHA256=13D4E1552D5751AB845358C999417E2E4C64BABC65A287B5DC76951EF880187C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395675Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:31.335{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53755-false10.0.1.12-8000- 354300x8000000000000000395674Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:31.069{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53754-false10.0.1.12-8089- 23542300x8000000000000000395691Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1472B2758B885F7749CCB1A570B59691,SHA256=E1A0FEDEDF805FDF4A198256CB6457BAEF5F25CA4BD95AEEC6AF9A810B1DBEBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450643Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:34.410{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A265A456677D1D5C5E9F0DE7568D1D,SHA256=8FE92453CB79B0D7F39AFBB4CE0C50C06A1C6BEB68DEBF708502265475CAB528,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395690Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.754{7F1C7D0B-05BA-60E3-220A-00000000D401}9722268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395689Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.566{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05BA-60E3-220A-00000000D401}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395688Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395687Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395686Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395685Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395684Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395683Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395682Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395681Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395680Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395679Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.566{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-05BA-60E3-220A-00000000D401}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395678Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.566{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05BA-60E3-220A-00000000D401}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395677Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:34.567{7F1C7D0B-05BA-60E3-220A-00000000D401}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450644Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:35.427{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD2FF3699885509741B737F35444A68,SHA256=0DCA8050DD37FAF987ED9727BEE356F8B9F27CE45E905E2C1C21A7AB05910F34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395719Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.738{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05BB-60E3-240A-00000000D401}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395718Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395717Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395716Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395715Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395714Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395713Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395712Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395711Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395710Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395709Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.738{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-05BB-60E3-240A-00000000D401}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395708Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.738{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05BB-60E3-240A-00000000D401}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395707Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.739{7F1C7D0B-05BB-60E3-240A-00000000D401}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395706Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.613{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE1983DF956D017DDF1452E20C3CB64F,SHA256=B0F1C9D41366571D1DBA0C5953706D6B1C2407F7ED40A6941A761A265F8FC190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395705Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.613{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1207020DB256C92D02711829C49AB07,SHA256=DAF6DB44DE6C911D1678CBA6EB68D1A2415CD20355F6A7EA1F94C3F3EAFFABDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395704Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.238{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05BB-60E3-230A-00000000D401}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395703Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395702Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395701Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395700Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395699Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395698Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395697Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395696Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395695Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395694Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.238{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-05BB-60E3-230A-00000000D401}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395693Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.238{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05BB-60E3-230A-00000000D401}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395692Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:35.239{7F1C7D0B-05BB-60E3-230A-00000000D401}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001450646Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:34.579{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450645Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:36.446{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731D1557CDCF3942648DA2BE40589DB3,SHA256=F7807CCB6AE84C454221295F3ED6ED579AB0076C440E0CE7CB9D21DEB424D36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395721Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:36.738{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE1983DF956D017DDF1452E20C3CB64F,SHA256=B0F1C9D41366571D1DBA0C5953706D6B1C2407F7ED40A6941A761A265F8FC190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395720Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:36.004{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50817A45D87DA1C65BB932107C15DAC6,SHA256=EA5C758BEA47E1589BBE0D0E48C5E529F7FB876F9D4F0B055BFB9331A38AD41E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450647Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:37.460{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5A69CDDF6A35EC21556450F8BAABBD,SHA256=087F317384857AA7142A1E6FD954757DEFA3D5878CCDB977DF9E57FB94F88F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395722Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:37.160{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2459CE1B0C2F9304E4B3488B3D61FDBB,SHA256=474F65F8C7ABEDA413E1D25ADD109B33AF6CE0397D10DAB6684B69DB0DA17616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450648Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:38.490{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B06A873D7E7AA7B93525EF3BCEFD225,SHA256=E925F29743EE3BC9ACB2D8CCC325D9092EC1C03B2605146A1D992D8D769F032A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395724Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:37.352{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53756-false10.0.1.12-8000- 23542300x8000000000000000395723Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:38.285{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5EA517DC539019339B8B48B38B5124,SHA256=6084DB729F9FEF3818D46D235886524D448A7572163403DE953714A962131FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450649Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:39.522{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C382668870A8713DF7BD17BB4E5445,SHA256=FA9FE5FB4BA7390D9A2E1CBA79402F204B51D0F476D935FAED53C5ACA041F624,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395752Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.816{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05BF-60E3-260A-00000000D401}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395751Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395750Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395749Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395748Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395747Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395746Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395745Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395744Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395743Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.816{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-05BF-60E3-260A-00000000D401}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395742Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395741Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.816{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05BF-60E3-260A-00000000D401}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395740Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.818{7F1C7D0B-05BF-60E3-260A-00000000D401}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000395739Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.567{7F1C7D0B-05BF-60E3-250A-00000000D401}10643656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395738Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.316{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05BF-60E3-250A-00000000D401}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395737Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395736Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395735Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395734Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395733Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395732Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395731Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395730Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395729Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395728Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.316{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-05BF-60E3-250A-00000000D401}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395727Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.316{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05BF-60E3-250A-00000000D401}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395726Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.317{7F1C7D0B-05BF-60E3-250A-00000000D401}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395725Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:39.285{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F4EE9F1A60E6B576DEDF7113DA31D4,SHA256=0D8E52EB70BB19BD9DE29FC70F534AAD9276BD4B7295A0E2D5CB60752F57FC1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450650Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:40.541{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A2E3DC69694336A344CB920F1DE57B,SHA256=B41A739BA90623DCEB8E85AECE9A0ADC07C42BF4CEFE1EA3F6C47B5D16DF7601,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395782Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.816{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05C0-60E3-280A-00000000D401}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395781Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395780Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395779Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395778Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395777Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395776Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395775Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395774Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395773Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.816{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395772Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.816{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-05C0-60E3-280A-00000000D401}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395771Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.816{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05C0-60E3-280A-00000000D401}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395770Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.818{7F1C7D0B-05C0-60E3-280A-00000000D401}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395769Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.598{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5DBFF32CAC450077205B22D577C2F80,SHA256=3D6C2E7B972F014636ABDBE858F2057AFAA5F065675926F9788B95C72B1EC7A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395768Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.598{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5427276C79BDA5386500D69897B85621,SHA256=E79712CB0FBC97EE32C74742F4AF2968843A4F5E9BAE56C4DF390695D9BD2882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395767Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.582{7F1C7D0B-05C0-60E3-270A-00000000D401}39641792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395766Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.316{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05C0-60E3-270A-00000000D401}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395765Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395764Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395763Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395762Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395761Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395760Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395759Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395758Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395757Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.316{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395756Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.316{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-05C0-60E3-270A-00000000D401}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395755Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.316{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05C0-60E3-270A-00000000D401}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395754Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.317{7F1C7D0B-05C0-60E3-270A-00000000D401}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000395753Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:40.160{7F1C7D0B-05BF-60E3-260A-00000000D401}35281564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395784Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:41.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1C989166D2EFF9BB3A65F8D432B4FD4,SHA256=5FD1648B7DDDDB1908C25882F7502897B2C708DC05A475AF85C84938271A73C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395783Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:41.738{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9955334C419C4621AFCFD705151AEB31,SHA256=336EDC4718BD931BE5E2698D0DF2AEABE041ACC35BD8C3E1191520536A6CD93D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450651Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:41.556{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE3EB05A6D8D7F7FA086085756133BF,SHA256=AC1D4DDAD1FA7A13946DDDD6673935F017C9530A8FEF6F6F8AF313509021D3C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395785Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:42.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77AE618D81630DE803A8944486D26B88,SHA256=79C052C67C2151788C59A07410D52D03957467A2DF04023D22318776579C53A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450653Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:40.610{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450652Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:42.586{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0A23C648D747785B54EDD64392D03E,SHA256=13375C757A6C0B8F20160B7A81A1133C412444B9E159E5CF600BE6661FEC51D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395787Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:43.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCF473AE5FB8E157FA94D7DD576596C,SHA256=1B5B6AE5848C70F75853FED7C8963A7F94B3D6D269ADD5B47E6D29FCEF0927D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450654Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:43.601{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C20E674BDCFD2E17D7815B31ABD34D,SHA256=6379DD056E6ED23A362F744209ECE84E7429B72EF309C43A5E184E4510617E07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395786Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:42.351{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53757-false10.0.1.12-8000- 23542300x80000000000000001450655Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:44.618{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730E9FA6345935984982C8786269E6CF,SHA256=8ABDA761E78B6A90414597BF1E39459146191F758979DA16CE7B2A70FA014C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395788Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:44.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6448AB9AFF091D30DA42285E0A7E6E1,SHA256=79BABB36CB031549F2A19D58A974893086499880640652C5D72C0609B1F51C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450656Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:45.652{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357B9620FBEFC5DD224014EFFFBBD507,SHA256=7F3D179C15C53DCF17BF600AFE9B4C293215F532576117370C7D393E44BEC832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395789Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:45.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F87532B1672891068D8FFF5B8C367C1,SHA256=6D5135AB88A43C1124ED6FAAF94B52611B8B7F65021E47B6A8F06687EC1A10D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395790Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:46.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625B80DBD488BB4E1EB210C06B3855B6,SHA256=A61A749712457305CB5F728D7F08AB85E1388FEC3D1C8B1C69456C4101E84986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450657Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:46.667{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F642EB25E5471C07212DC0AA50498D,SHA256=1D8F6D66BDF8A2197DB01763466B07A3D57A8063FD43F86525B100E1BDF408E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395791Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:47.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0202BDBFA739C45D03FCDE13BAE8562C,SHA256=53370A5DD5A877506718AD24D6147034F1EAED78A421708F57D9D62687CE8ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450658Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:47.681{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2902883B593CF21EBF6D60E1736207,SHA256=4CFCBFD18506A5328D7DB0328A5F3E9C6AF43D1E6BBDE43CCD965EBE4F251C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395792Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:48.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722BC4117733A96B7D0A574B050C710E,SHA256=017D8C15D24C2B31C8B0FA58F7D2D01C0E3A93A8DEFBCCB7674C34ED3FE18FCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450660Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:46.604{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450659Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:48.685{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF03793FE1BD27733EA94664F211649,SHA256=B93381A7D6995DC6D8193000D74AE5D114B2AA0A4B6EBBB89BC5B7ED09161E15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395793Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:49.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C529C88F37C85CF0B1961E218995BD0,SHA256=05722C57FA05A5B754FF9D57D5737EF2B09818F70CD38D1D6F79A9DD3DD7EDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450661Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:49.700{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFC7323402F82766F7FA12DE7BC899B,SHA256=AF62C5A036DF70DCF31AFC42772B0EDE8676A787B37409DEF40BD9B1F1AACD31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395795Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:50.941{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C3268D14C5EC1D8ECF532CED9A0053,SHA256=BD3A162DB7944BFD2F2A13667DFC6BB98F1C87D6BD9E149E9F19055C07F00871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450662Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:50.718{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BF61532E67E9A11ED0801F949F4CDD,SHA256=4F4830648A89289059030E9F8148374B1C20A65281A01B74531F0CB6A37FD7A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395794Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:48.335{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53758-false10.0.1.12-8000- 23542300x8000000000000000395796Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:51.988{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5969BA17B859DAF7DED0EE55A70E00E5,SHA256=5FDCFE30193CED913BCB1EC63E0BCA8E608FDA360F94BB4C06CA883303679936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450663Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:51.736{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7AEFA6E4FCA78170594E82E203867F,SHA256=9F1B62BFA736FD82C1B9B0E749B3B76519484CA5B87898E4BC8A2FC656F3B1CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395797Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:52.988{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2112BA528A9E1E15B03A6D092B8A088,SHA256=83FF576DBDAA4719209359833681EA3B45BDDA15D67833EEF36698595F413123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450664Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:52.750{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0829244F9B1C5001977D80EE6954E995,SHA256=0C575D87676F6ED38BD7D1726224831343F7AEB01241C7F7957834C7A177DD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450665Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:53.765{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC87F6D4C97655816A80412C85AD8179,SHA256=815F78AEF6A201BDB91A441FB16FBB1CC6200A5CC823549F2708DAB08538D281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450667Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:54.780{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6E23183AE7ED6CAA462A345E2673F6,SHA256=BAB651795BC4F7EF40E9F095999E4AF89D642DB7431C571CBF643C7637FB5FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395800Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:54.879{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BF1A0BD24C7DAE44782A414E6A4F429,SHA256=89603A2CBDCA657F2148A8DA8E0B56CD9A52939101D1067817D03DE949C48426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395799Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:54.879{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCBC4D1EB092F7BC6039BA2924CAD264,SHA256=12A2C420498AC8D430408AB96528E307986EBD5CD5C31909261E8CB411073DDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395798Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:54.004{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E80031130B9F192447CA34C6F9C3D2B,SHA256=117F1B77ACF06ED27791BB6DE972CABE34932F1E6318877CD2B05C0C88BC36EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450666Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:51.605{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450668Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:55.794{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1A7922F0A4E434C3F5ECFE42FE1AC0,SHA256=E5A72C8655F3E21326A738928EABF0B2C265D2196398C105B86A74086E491276,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395802Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:53.477{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-61348-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000395801Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:55.004{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF9E195C2AE2C83515E39E1A845CC5F,SHA256=5C1D942CA2998F8BDD7F6AFE308F2D66F21A8225A42C4C5B247ECBD891E74741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450669Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:56.811{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC653521454838E4F2FDD96D17E6989,SHA256=055740C6DA5D35F2278CD363EEC0AEB00EFDB3B37F3BBD16A8058AEAC874F443,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395804Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:54.288{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53759-false10.0.1.12-8000- 23542300x8000000000000000395803Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:56.004{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4121F72B30AF441BB782FE4F81C2667,SHA256=1E30746819091C5EA17B08572E438BB9170F3A0E5F86833C4144B58817BB65CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450670Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:57.845{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9786869757469F0F49CF4553D9113625,SHA256=DF4AB1F5EBEC79E9F9CE29C66248BB60DD44157BFEE1B3C25D99CAEFEF64C58C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395805Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:57.004{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52510862C8AF1F8102854E0CCB6D3F2,SHA256=0840C3CC04FAA3CAD9E0895B7975AF43595F5BC0326B3F9B9AAADF42AFB846AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450671Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:58.860{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28994BCA97B750ACB2B2C3F50A0FAF7A,SHA256=90071C921A1B8E0C138629D52AD23C210AC2C6185103D1C78C95E578B2DE0B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395806Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:58.004{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52E51FA0FBABBFD8F58A66537860699,SHA256=67BB291BD30F6A9E8ED9B6A3E0C32DC7B8EA1C4FE7C7B5C517F2335DF9B5A212,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450690Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.929{D694AEB8-05D3-60E3-B40A-00000000D301}61042024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450689Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.891{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4CEBFCC5609F021EB9E6F3691ED1A2,SHA256=D60568826DEE1EABD55EBFB1913BA3EC19836ECE0D3E4745E62BCD5E9FF44BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395807Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:14:59.004{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A8412F1FAF38F26F3B45F1F0F9DF93,SHA256=5CC647AA763CA61F4EAE62C2EA715DD469A59F06C6E94977E5260FE422A883B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450688Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.728{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-05D3-60E3-B40A-00000000D301}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450687Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.728{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450686Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.728{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450685Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.728{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450684Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.728{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450683Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.728{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-05D3-60E3-B40A-00000000D301}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450682Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.728{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-05D3-60E3-B40A-00000000D301}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450681Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.730{D694AEB8-05D3-60E3-B40A-00000000D301}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001450680Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.044{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-05D3-60E3-B30A-00000000D301}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450679Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.044{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450678Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.044{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450677Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.044{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450676Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.044{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450675Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.044{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-05D3-60E3-B30A-00000000D301}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450674Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.044{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-05D3-60E3-B30A-00000000D301}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450673Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:59.045{D694AEB8-05D3-60E3-B30A-00000000D301}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001450672Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:14:56.615{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450701Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:00.960{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A812B7A1EF2C732170A100438AA800D,SHA256=72D73CF51597ECA38D532EB8B9CAF007E33AFD5A49804C6C570710F4C7A01267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395808Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:00.004{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACCA5C6B89F0FF6E0483FEC7E136D56,SHA256=F65B904EE35FEF06D304773F494241E576B962C4CEC782643E0159365AA862E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450700Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:00.391{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-05D4-60E3-B50A-00000000D301}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450699Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:00.391{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450698Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:00.391{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450697Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:00.391{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450696Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:00.391{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450695Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:00.391{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-05D4-60E3-B50A-00000000D301}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450694Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:00.391{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-05D4-60E3-B50A-00000000D301}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450693Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:00.392{D694AEB8-05D4-60E3-B50A-00000000D301}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450692Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:00.045{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D26B190AA1596183E069DB959791406E,SHA256=F5EF694C4BFB018FDFDAF23AA546ACF5F18C444B50C588CE44925488A613426A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450691Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:00.045{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26FE4E88F87DC4669D42DC8198382E9E,SHA256=43FB50C5FD11AEC4A349557254D1F020A8DBF72B92B386381360A1B8785866A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450703Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:01.977{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519590F36304BE85AEEAC86BAA092BA0,SHA256=D5B26E24397D652CCF9820EAE82C97D3CC1EEA74F6FB6E17FFF8667F8308CCD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395810Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:00.226{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53760-false10.0.1.12-8000- 23542300x8000000000000000395809Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:01.020{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B50E569793EDDF3EB2F769E27A9C72B,SHA256=1E270BCDA0B9B0D96FBC21A64445E942338E597C2BAE87C644531CB81088E73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450702Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:01.429{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D26B190AA1596183E069DB959791406E,SHA256=F5EF694C4BFB018FDFDAF23AA546ACF5F18C444B50C588CE44925488A613426A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395811Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:02.020{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103E12A23FEF9FDCD533D13EF972B5E2,SHA256=CFC82368FC00889B70DF337E58D19A9A66FE48E54436933D2258470CCEE4FFD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450711Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:02.876{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-05D6-60E3-B60A-00000000D301}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450710Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:02.876{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450709Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:02.876{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450708Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:02.876{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450707Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:02.876{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450706Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:02.876{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-05D6-60E3-B60A-00000000D301}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450705Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:02.876{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-05D6-60E3-B60A-00000000D301}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450704Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:02.877{D694AEB8-05D6-60E3-B60A-00000000D301}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395812Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:03.020{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27772FFF43C6316330C18D2CBD7788E0,SHA256=5F1E123CA007254E95C57F97F242085FA00DB85AA07AA830DA6717A79D0D1C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450723Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.890{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E31506A08278652EFEA5644902649890,SHA256=5FC61FCDBD09F09C40F02701AC0795BF269B705BFF320441007CD932830769E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450722Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.690{D694AEB8-05D7-60E3-B70A-00000000D301}33605804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450721Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.544{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-05D7-60E3-B70A-00000000D301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450720Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.544{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450719Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.544{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450718Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.544{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450717Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.544{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450716Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.544{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-05D7-60E3-B70A-00000000D301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450715Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.544{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-05D7-60E3-B70A-00000000D301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450714Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.544{D694AEB8-05D7-60E3-B70A-00000000D301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001450713Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.029{D694AEB8-05D6-60E3-B60A-00000000D301}24807064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450712Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.007{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDD28B081F549E356D8784EBC3F0379,SHA256=2D161CE9BFC747F3B06B4086956435D315BBAC3AEDB991E0DDFD0ECAF468E5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395813Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:04.020{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96BC2768D0D79FB2F4CBE3970B9B49C3,SHA256=AE69CB1FD975806833A2DF67CA899FD37B475D8C150F631AC6CE8C28CB856646,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450740Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.910{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-05D8-60E3-B90A-00000000D301}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450739Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.909{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450738Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.909{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450737Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.908{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450736Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.908{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450735Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.908{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-05D8-60E3-B90A-00000000D301}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450734Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.908{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-05D8-60E3-B90A-00000000D301}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450733Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.906{D694AEB8-05D8-60E3-B90A-00000000D301}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001450732Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.227{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-05D8-60E3-B80A-00000000D301}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450731Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.227{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450730Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.227{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450729Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.227{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450728Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.227{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450727Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.227{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-05D8-60E3-B80A-00000000D301}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450726Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.227{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-05D8-60E3-B80A-00000000D301}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450725Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.228{D694AEB8-05D8-60E3-B80A-00000000D301}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450724Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:04.027{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EB74D483DB1C6E923A29051A0AB5A2,SHA256=6A25A56BEB74EB3EE8E9EC384BE87A021D9B462E5CACA1F8BB91E6A720E9B3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450746Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:05.274{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBFB9931BEC190B1840DC7AB9ED2B4D2,SHA256=52D30B92D16B6B42B3BF5662D252AD3E6F6A9CAB7D81E02387FCD5BFBCBC36D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450745Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.198{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54378-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001450744Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:03.197{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54378-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001450743Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:02.629{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001450742Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:05.058{D694AEB8-05D8-60E3-B90A-00000000D301}9606004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450741Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:05.043{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E793340E6F12B3AE53334E9697366972,SHA256=381781CC643B7EA284F98D98DCBED58E6575A6A31BE99B4D2971071954D9206E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395814Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:05.035{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2D81BE6279C37EEA8A722BE9F8EB09,SHA256=93F56BF52D2D2786D176B65CFC47F8506F773D23E02DF806C0ECC45A192A6D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395815Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:06.035{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2489ADD5BE9F74CC871EBE7288857F,SHA256=23C6C35E4AC5BFD1AD3A9C1C6FAF8D55EADE9B5F308889F672CCD0A30F458F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450747Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:06.127{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A22E5EFFBFE587AA910D40A8BC4B93,SHA256=1A416FA78ED2E5867C73C4755FC33F9ED484F4068D7D262B8B07572206953C97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395817Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:06.273{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53761-false10.0.1.12-8000- 23542300x8000000000000000395816Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:07.035{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0BD7D73B8A7D8A9387565F58C4F22D,SHA256=F86177A68E47C9CEC541FB63394B1333ECF4BA51DD0A48DAF49F5686E5705A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450748Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:07.141{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D99E94BEA693259F34EA823A20AF1F,SHA256=BEF11852751D4D8488C0888EFE62BFF58D183598CCB328D30E7B4EDC72F625B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450751Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:08.424{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E61C8C87124BC5E60332064B1B634F46,SHA256=92113529C48BA1AA0683D8357E6DBC35E727EC741AA3FAFC8D15A632FA28B877,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450750Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:05.500{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-13827-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001450749Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:08.156{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96C46D18BA4141FF8EEFDAC4EBD0D62,SHA256=78BC2A2EDCA03324F799D8425C0447EE515AEB7805B23C85D04EF6C00821BA0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395818Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:08.035{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D7FCDA30AD41B98245942261B69296,SHA256=BE35A926F97DCE10EC87310057E57ECC37F34D22642AFA8F945486E49F8CD743,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450753Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:07.640{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450752Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:09.171{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6426FE8363D7AC41B9807C7E7D8E20B7,SHA256=78C6858794723B0D6D065910C89BC7078EB82745B86FA7A2BDE928738BA06C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395819Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:09.035{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A203622E5651474DE6A01ECD8097888,SHA256=3D8208F36E95CD3E9D49DDC72CE8EB3DF6E243A6DBD814AB7FDB5F890B307476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395820Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:10.035{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F745D467DF863F93EA19D97D966074CD,SHA256=0AC52D6B91057CFDCE7D8584C2D7BFAD67CD4EC8DEB5E210E2407B447F098738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450754Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:10.203{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4DD197B596D5BA21640E6917B71EC9,SHA256=F60A1B9D6295186F5BA39EA1A8EE1D59AB145B84674EC8650A811E60E767BDB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395821Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:11.035{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882041277AB567FB317740D2BF460BFD,SHA256=5E56ADAD2512948699EB5E099DAF3501C35C13B021F271B6957D73A152496AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450755Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:11.221{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E450FF5F32B0D3B53B37C344BFC610,SHA256=A053C6A97C7E05EBB2891AC8D843F158F16D6A52D7C5493513F5DE5B98F21C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450756Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:12.236{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D698A28CC68BFBFEDCDF0D9A0F2386BF,SHA256=EDEB8BFEC76E9BF5B8ABC910ED8DFD3F67262763AB512ED1DC5A8DEADCB59838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395822Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:12.035{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E40AD8CF9627AF6D396E98BE2E5FFBD,SHA256=DC3FA6953B0888DDCF54846124FDE0D120D0175AEFEB6D40C6F0EA375873A825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450757Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:13.250{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D08B32B9701C5CBAADCAE66EC20AB5,SHA256=0380771FB78B86A5399F80DD1AEEC861A9B6FA96D2F08D7FB30C9A709647B99E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395823Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:13.035{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC6FF8D5AF061D6BA8514A83CDA89FA,SHA256=A4D6533A6939882601A2217146F9BD2E981421B6C6306E36E3D2C5DEAC7FBE6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395825Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:12.289{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53762-false10.0.1.12-8000- 23542300x8000000000000000395824Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:14.035{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F8A4666E168DA46A7125CD32261333,SHA256=87400EAD6BABE3AF372F1B2636AB0CA4A8E39978BD93E9E34CA1DE590672A02F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450759Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:12.654{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450758Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:14.265{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4B63F30DD831F4E190C33C404A3505,SHA256=D2E70DD2A24762A0D8480AFAF6DD2A1DC5F1F9EE073814948FF198952ACF987C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395826Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:15.037{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1E723AB76EEB9A4E8013BA284F914D,SHA256=C7B88D1D68D2869F6A1EA3F6641AF341FE035362584194526400F40DD2C04FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450760Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:15.280{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AB407826D93E31ECF81B3684B9A339,SHA256=27A8555F7C4AF3291795AE736E63FC1A9F9B3672482097D37F0DAA5CD743F382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450761Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:16.298{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5B522BA34F40AF8C8628391F9AA496,SHA256=B7006B25C8FAD59DC3DB0B69678966B6B00668DEBB2397B324D2D620A4FDCD28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395827Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:16.043{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899A844EE401E2B53BB26F6BE8876F43,SHA256=A69EDA65F31FC1D7AFE9983C8323FA83DD33105976DB8F24FF1A3360712BBFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450762Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:17.315{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6573A7A76B25ACA4CDB3F14851938A5A,SHA256=B42A5DD3AE59B34B905C374D1CEF4CC121D722F6EE0A90F7903D2DEE92E73C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395828Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:17.050{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47CC0B7A17C8295DE190DD498B1DE4F9,SHA256=BDFA4CDF6D695985A4466D4221AF39CC557E3DE090DA84EA300AF6A470E623E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450763Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:18.346{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC9E5731A13D0748494677A92833ECE,SHA256=55EF3279EC4FBB72106888FD2544D025B868E34283537B23202D449F5A997F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395829Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:18.050{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13B30531A94C431EBBEBC170FB07324,SHA256=019EB48E83BC992FE91BCB1467EC20B015AD374614C849F77116018DF69A8988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450764Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:19.360{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2398CEF8B2277FAF2EE416567B003DC0,SHA256=93B8266F63879A61EBD90496D035B99B01E10C21414D0247D64FD28C0C2BD06D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395831Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:18.319{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53763-false10.0.1.12-8000- 23542300x8000000000000000395830Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:19.050{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02855CA5074648A5A8E399414336452D,SHA256=6F2F63819DFA37D6D213299D7B665F3F6E72F7053C0AA798C1F433DAA2EF326A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450765Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:20.375{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398E77CC44A4EE8EB855B8EE793D4EE1,SHA256=8B7A68C933BB0CE77989940C123826853CD6B8C22CDE4B4A575C6FDD45FEA3CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395832Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:20.050{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FAB36FE38B5A1111947C371A1D29341,SHA256=4A2D09063FA26B86C984C2D86B6187B6B8A075811FE786C53B27CDBEA8CA884E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450767Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:18.667{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450766Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:21.393{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB24BBAD2AA35D8324AE54B67368D335,SHA256=42C0ED500849558DF81D3EB48FF5A133E0D3EA105794D1B7B42F7505ECDC2574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395833Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:21.050{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED4FA163B4731C35ACEE658B793C064,SHA256=2335022C49A509F4817BA75007837EA4C87EFBF355726D571A85F6C2F3D773C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450768Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:22.425{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798EE9C5DA1E0249427F2FB86FBF311A,SHA256=1B0E0D58F4E8CDED42E23167055346464228AE22CCAE13E1D015BF3217D133E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395834Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:22.050{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD0A93C69239F2CF42C315CB91076E3,SHA256=9F00C267DBD14430D2E9079DF9BA96B139912034DF8802565EA2AA0AC59C7ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450769Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:23.440{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B34DDADBD372DF11A714386DEE1F7F,SHA256=1A17F157235C4784DFE258A6A73AC591B5C43054F57EFD6D4911D8EC977A8032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395835Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:23.050{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C10F746678FD86944275164EB9A1CA,SHA256=C4162EFD469F3900271A8F529C664A2E344CC5034DC58DAB265E86FDC46E2F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450770Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:24.471{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C3362A5015BB9F0F6191B92CA0C3AA,SHA256=1929DF578DFBA131EB69AD7B06A8EBE5EABB2F374790AF6255B6CE4CD3441B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395836Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:24.050{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC8D5C277D4279F65F907559230D877,SHA256=C1CA715A91C08F13CA9753F12EC75008AB7C29CD55B8A949674BB7775776155C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450771Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:25.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43C5F7D3D8FE3DE401EA51A1AA4CCED,SHA256=6B6C57A7F0773FE984AD889C7B086E2CAE28499CA0E65C38D529BAB5F34333BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395840Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:24.334{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53764-false10.0.1.12-8000- 23542300x8000000000000000395839Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:25.378{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9D6B46C1DF752F7786E410979FCD2341,SHA256=EFCBE5D6B8991443D7630811C20160495ED11CC2528819F2008A5D305458565F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395838Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:25.378{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=78B6894A0DFFB51094803E2D9AAC3C80,SHA256=8BD773F63A9B18DA28D5AD61D67E26D6D60CD5937567C1F67577A805814A4E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395837Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:25.050{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B086C62E86954458EC48E59C658031E1,SHA256=7677800007FF5C6C88B69D8FDA2C6319206706D4A49D04B1F26280F8E3A81737,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450773Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:24.661{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450772Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:26.506{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=002E586EDC55CE0F3E6054FEA64AD3DC,SHA256=FE258165613BE59756FD6E9694E41D1F19D36BBB0F288F8E2D3ECAAFCB343C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395842Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:26.284{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=73F07874FCA5413718D7936874D17F5B,SHA256=C3249ED276625A80798D4B3F05AA3470322EC09EA26108ECA5294EADE3F19FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395841Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:26.050{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D97EC934CA9E881E3AB34B0986821C,SHA256=36FB55C58D5B5F2535EB0B72D04920F08AA1064452DF373D6D7A678D37154FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450774Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:27.521{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0FCA840D82E3D465186F37936DC45E,SHA256=42A253636674B2A459B7037DC3E7DD1CE1483536BEB5F5F1982430A221A77DF9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000395853Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:15:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000395852Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:15:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01408d28) 13241300x8000000000000000395851Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:15:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77197-0x70b03c7d) 13241300x8000000000000000395850Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:15:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719f-0xd274a47d) 13241300x8000000000000000395849Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:15:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a8-0x34390c7d) 13241300x8000000000000000395848Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:15:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000395847Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:15:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01408d28) 13241300x8000000000000000395846Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:15:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77197-0x70b03c7d) 13241300x8000000000000000395845Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:15:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7719f-0xd274a47d) 13241300x8000000000000000395844Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:15:27.754{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a8-0x34390c7d) 23542300x8000000000000000395843Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:27.051{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423B5F65096D71E9B45E6F5AA148F916,SHA256=D7468D6D61681E7EED20C0C5F41A2A1B3F9C6FA9B4E6B0AFE09A48B6AB9B62DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450775Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:28.536{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4491F051B9E9647F43A1EA10BCA5F543,SHA256=34E225911939343A274A54FE126509E38FA8521882E39BE649DD95B220A13F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395854Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:28.051{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0D111482922A0D85739A21DEE4EB9A,SHA256=1664118AFAC2D618E65980A4CE5AF1E1DB1B44BD293D1B13AADD6DB03C28BA00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450777Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:29.619{D694AEB8-B3E8-60E2-0B00-00000000D301}6562652C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001450776Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:29.550{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26114924FA55939ACF23C5375A0B041C,SHA256=B75560FC045B78F6315B2C46A86706E57A0434171BCBF99B142D94DC770A3FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395855Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:29.051{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC23A4B72E0B7488F044F60A5517A910,SHA256=842F287330A650244C5D041BAFE56285654794C4C83CC3F75D7F23859AD9B842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450781Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:30.635{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCEFDAF9D942AD2568011A36ACA094A6,SHA256=6982231AE1996A90309C5012FB1D8D3474FBDC924DC85D7F1E3F98E220A14DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450780Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:30.635{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=289ED9F007BA9FDDC35B091F095DBF43,SHA256=B4BE873B392105F57F8BD0AA4B17F8B62B8194E00BCAA7CC2C72F8A42C68206F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450779Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:30.566{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80EBF87EBF38F71F589EFCC0FC86A16C,SHA256=585686D21A2CEACC2671F56EB8F617AF66AEC4FE9032DE8B38E524DF8981C9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395857Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:30.910{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395856Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:30.051{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B06AC84643531EF87B55E0145CA460A,SHA256=789B3B7B037DA8A01485C422C10066AC271766074D1E65A73CE9B917BB99FECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450778Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:30.203{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450786Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:31.584{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89A93B644040159E0B9A896F36116F0,SHA256=30B60F8FA2533B2B3271D50F4C22B8E87373F0CB89D36E657FA508917DDF23E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395858Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:31.051{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D051B2E89DE93984021676879C2BF5,SHA256=3A1D4560206646F1583D12C30FD24C1D6056E347B55E7E099231266CD11C05CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450785Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:31.465{D694AEB8-B3EA-60E2-1600-00000000D301}12962440C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450784Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:31.465{D694AEB8-B3EA-60E2-1600-00000000D301}12962440C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001450783Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:29.074{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54383-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001450782Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:29.074{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54383-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 23542300x80000000000000001450789Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:32.601{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66477B044B981970EC951EC52CBAC2B3,SHA256=A5C30035B9FC71CE3444B9D447238E73D89B79083EB86DC84EAE74CEC56F773B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395860Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:32.051{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DA767F50A3C0F316FD0742FA8EFE8D,SHA256=3CC350F401D402C011EA4DF9FC6E2F35B97AA0236550D3056D38805A3D5FD3E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395859Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:30.304{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53765-false10.0.1.12-8000- 354300x80000000000000001450788Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:29.688{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001450787Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:29.657{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001450791Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:33.832{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0D08F79BE79EE166B3F727406D4BCDC2,SHA256=4053CAB98D457A477C8A901977B58C664D758A36C738048C20A59C987B65790F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450790Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:33.632{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BD65FF21EE1C41BDBCA3414F765E0B,SHA256=7306016809154977F45EE9CADAA17AE83EF217DE67F63869FAF4580FDEC261F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395862Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:33.270{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62F66DC4426BF467C7AE5CDC7F508BA,SHA256=4F612B2C71DD89FF1F3625CCBE8A33282B80FDE40CD904F35F7BAC285B562A7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395861Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:31.086{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53766-false10.0.1.12-8089- 10341000x8000000000000000395877Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.770{7F1C7D0B-05F6-60E3-290A-00000000D401}28323888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395876Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.566{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05F6-60E3-290A-00000000D401}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395875Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395874Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395873Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395872Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395871Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395870Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395869Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395868Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395867Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395866Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.566{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-05F6-60E3-290A-00000000D401}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395865Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.566{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05F6-60E3-290A-00000000D401}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395864Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.567{7F1C7D0B-05F6-60E3-290A-00000000D401}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395863Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:34.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4069AEE2B0EDA7689DEFBD95075BE63E,SHA256=6787CD700AB7B51038F1E592D2BB7B187E049E10CF938F37A64A76EBE5346F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450792Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:34.646{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06DFC893AFA0A799857671EBD3D9B0E6,SHA256=74C5B8655D896B587F25D2A7EE944D4ED7063C09D22CB6DFD8E122BAC52F64AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395906Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05F7-60E3-2B0A-00000000D401}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395905Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395904Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395903Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395902Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395901Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395900Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-05F7-60E3-2B0A-00000000D401}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395899Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395898Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395897Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395896Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395895Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05F7-60E3-2B0A-00000000D401}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395894Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.804{7F1C7D0B-05F7-60E3-2B0A-00000000D401}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395893Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=518EDB0B147299BE6CA0A3C439720246,SHA256=961EA902BAAB042D4AC8F7E150DE23DE4393F38775516D3BD14E2288C0F28851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395892Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE667AB3380572C0FD5AF8FD9FF4EC20,SHA256=F54F2BC4ECDADE736B282D5231F090E5481C752CAC1FDD99E2876366C4FFA973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395891Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.801{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BF1A0BD24C7DAE44782A414E6A4F429,SHA256=89603A2CBDCA657F2148A8DA8E0B56CD9A52939101D1067817D03DE949C48426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450793Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:35.661{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15C9EBCABB486F48DB4F83413D1DF2E,SHA256=F1FAC15CCCC7854FE4AD9F557E125E80EE6857D7000B07678C1AAA98449B5FC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395890Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.238{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05F7-60E3-2A0A-00000000D401}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395889Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395888Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395887Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395886Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395885Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395884Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395883Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395882Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395881Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395880Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.238{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-05F7-60E3-2A0A-00000000D401}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395879Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.238{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05F7-60E3-2A0A-00000000D401}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395878Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:35.239{7F1C7D0B-05F7-60E3-2A0A-00000000D401}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395908Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:36.926{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=518EDB0B147299BE6CA0A3C439720246,SHA256=961EA902BAAB042D4AC8F7E150DE23DE4393F38775516D3BD14E2288C0F28851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395907Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:36.801{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24DEE10C00FF1CDC77F2954730A330B5,SHA256=084525910F2FC2E8FB17270E6AF68D5E8FCB3F9D5B51D5BD14BA91D3B8593AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450794Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:36.679{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD800C060BF9D72E43614C93232B8AA5,SHA256=233C94DA1DF13E92D1CC71E95353C887C40B6C1D639ABEEFAD97DB8C9055CD4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395909Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:37.801{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2211B1EBFCD8608DD7507A0D31321EE1,SHA256=7FCB68E929353367AF46AB7BAF15FFB70C4793DB9356142B0222D1FDE95E3765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450795Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:37.697{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3590FBDBA4A5530ABD2208AE66F2093,SHA256=15672D5C4B1E3881D7A2B436082FAF365EBD7C185FA469F9193A158B8AEB496C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395911Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:38.816{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00E35E75DC1BAA028D25099FA1DD3B2,SHA256=AC5E4CF0F8BAB4DA9DDFC5D7F7CF8642744AD6C65885834AFC64FC19F223BD9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450797Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:38.727{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10DA6599D2DF4AB297AECE0F5001296,SHA256=6730AECAB9EFDFB64B4B800F32C1051A2DBE15FBB91365617C75D9DD1DC76E1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395910Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:36.306{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53767-false10.0.1.12-8000- 354300x80000000000000001450796Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:35.714{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000395939Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.879{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05FB-60E3-2D0A-00000000D401}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395938Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395937Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395936Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395935Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395934Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395933Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395932Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395931Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395930Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395929Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.879{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-05FB-60E3-2D0A-00000000D401}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395928Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.879{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05FB-60E3-2D0A-00000000D401}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395927Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.880{7F1C7D0B-05FB-60E3-2D0A-00000000D401}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395926Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D067E5F069957366562DC338EC6717C,SHA256=7EB1DD048A1A01027AB74971DF1CCE0C7746209D9F61C4F0901167991B0F53BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450798Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:39.742{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB589B73191D523CF5091796613436C,SHA256=D3B5DAD932025186722D508EC5883EDEF280E42B7FE13CBA18FFF050A44F6C68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395925Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.426{7F1C7D0B-05FB-60E3-2C0A-00000000D401}2121372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395924Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.207{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05FB-60E3-2C0A-00000000D401}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395923Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.207{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395922Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.207{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395921Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.207{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395920Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.207{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395919Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.207{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395918Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.207{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395917Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.207{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395916Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.207{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395915Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.207{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395914Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.207{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-05FB-60E3-2C0A-00000000D401}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395913Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.207{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05FB-60E3-2C0A-00000000D401}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395912Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:39.208{7F1C7D0B-05FB-60E3-2C0A-00000000D401}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450799Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:40.756{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD50C5D271D0CA9A1974F40692B60AB,SHA256=FAC07A4446794E29138AA28AE455C9B927742532A6A95E3D3A379E4F7367B577,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395968Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395967Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395966Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395965Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395964Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395963Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395962Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395961Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.879{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05FC-60E3-2F0A-00000000D401}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395960Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395959Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.879{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395958Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.879{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-05FC-60E3-2F0A-00000000D401}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395957Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.879{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05FC-60E3-2F0A-00000000D401}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395956Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.880{7F1C7D0B-05FC-60E3-2F0A-00000000D401}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000395955Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.645{7F1C7D0B-05FC-60E3-2E0A-00000000D401}38603200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395954Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.379{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-05FC-60E3-2E0A-00000000D401}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395953Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.379{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395952Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.379{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395951Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.379{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395950Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.379{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395949Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.379{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395948Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.379{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395947Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.379{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395946Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.379{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395945Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.379{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-05FC-60E3-2E0A-00000000D401}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000395944Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.379{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395943Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.379{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-05FC-60E3-2E0A-00000000D401}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000395942Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.380{7F1C7D0B-05FC-60E3-2E0A-00000000D401}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000395941Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8515BB8691C2062D7B713B710F3C9720,SHA256=D970CD458404DD058C332EB577AE0187EC9CCA1FF99F45C5C1D1CBA63BCC281E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000395940Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:40.066{7F1C7D0B-05FB-60E3-2D0A-00000000D401}2376656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000395971Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:41.910{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DCD5E039471103EF8B03FFD9E2BEB9D,SHA256=046FC86014AD4B0F8E9B9B9C3A6FDB9F2385E1EA546536822FFEC1829F1F2841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450802Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:41.757{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CD670D8CEFEF669ADE196A8D2C3094,SHA256=8DEB491CE822BA57B9091E58C8DCD4B27A6051349FDC0F7AC0F46572551543AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450801Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:41.356{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597358AD86AFB0FD10FAFE0BFA4B78BC,SHA256=30DCF58BB28007E67672EB21EF7CF609C3BD5E680B7E7452FCB433802D493DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450800Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:41.356{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCEFDAF9D942AD2568011A36ACA094A6,SHA256=6982231AE1996A90309C5012FB1D8D3474FBDC924DC85D7F1E3F98E220A14DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395970Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:41.613{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B6B33880AA7BDF208353933B3A83FFB,SHA256=280FA306D1B79246571CB79A180D46C76A693BFA3194D81D73B496DD660CC3B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395969Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:41.004{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FACEFC2C3F38ECEFE8F10258E21164C,SHA256=0D141C1C28885F8AD5060A141045BBF0F89EA19A97BFC963D6C0B73D38F54677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395973Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:42.957{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909B8C247D7A109E0811BFABDE021BF8,SHA256=288D29E7CAD2E04027677E6AEFBB5740F56930FCBEDC9510A93792AB4C093572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450803Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:42.774{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04371D4D6D972BC2C587A156AE6FB3C5,SHA256=29D2C25DCB9134372129DDF3D84995604311848E7CD7F35B4079AA56C63FB506,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395972Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:41.320{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53768-false10.0.1.12-8000- 23542300x8000000000000000395974Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:43.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CBE6D73DE353131DB2AFE3AE3D33C8,SHA256=49CE7B51F83039D85A9CC3DA061F7080F34670A8331F8CC20127E91EAA686D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450805Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:43.792{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E2AD173FB3199AE754BDF21935701C,SHA256=F2AF1180C38EEC64F4EFCA97A1623FB59A8F2CBFD8564AD009FF03E2C1886986,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450804Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:41.463{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000395975Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:44.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30CE967D938E307A912A24CF01E227DF,SHA256=C7C3DF28202CDE278D5919950549AAB930CF84867F4D963970328A4283A82626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450806Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:44.806{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B47047F6FA676BDDDFBC2C53B70B09,SHA256=DDC6A13E0907C187BBE7FC011234E968C5766BC81808CEA65D9929FD9A15CDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450807Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:45.821{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4465D538662D4408F3303527851032E,SHA256=FA02768EC1E56E8EF4715865E8B51B29251F4AAB5E53B0A3195B94DF44016464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450808Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:46.835{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED9F3C27532E2B9679B9A829F844286,SHA256=7425AABC4BA72E3BE8DD08CA74A2E6419F28CCC8A2CA49B3A6A38F31B89D66B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395976Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:46.004{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BC69A6BEEB15A57DE0BDA907D4DBC5,SHA256=574B1DEB5A88C87850C8BEAA00D83D57EB38B5CE37585FE49F8E1F08CCCE7F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450809Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:47.850{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B80D5C0C2BC26027D40E263D242EED5,SHA256=507593B42BA1999F6EBDE31F335F57A6F7B510C100163005C475BFC67B1988D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395977Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:47.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4137E636E6C639A3190D8A26A6905B49,SHA256=844ED17A7E3361F17A0C7A4551D213142F2E29810D6A12DEB808F646DBEC58FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450810Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:48.886{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA794247200DD8A842769E63B53DF89C,SHA256=CEEE8BDD8B6E22997F9581C9172298F5A11B00B6B33780D65B88592EF227B57C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395978Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:48.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CCC04C0A7905C924CFD9FCBADAA77C,SHA256=85B5C2DE6CCB21C818DDEAF78B1D24F35B3443374A116CDBE51F742B53D1CFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450812Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:49.901{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F958088DE2661B904AB15FEDF074420,SHA256=88BC376CEE8B7187EE42589DD320C6C2532807BA2AE3681F1537F75A317E95D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395980Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:47.305{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53769-false10.0.1.12-8000- 23542300x8000000000000000395979Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:49.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E49FCD9475A9EC50C070D2464520DC7,SHA256=E424FC85C4DAE5DB560848F19F357FCA5ABB280C0380BCF5556C8834B98032F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450811Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:47.488{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000395981Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:50.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F00AF542E82265041323AF01B35158,SHA256=962EA0EA36921BC1D4305A2616A37CC1E4BF273B79A217B6880151A3B43D6DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395982Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:51.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA5270117A23DA1AD30D430146C6B41,SHA256=400419BFAAF06EE1B4378DAED871AC4DA4FED810DBF1E15AF1505585F060EE46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450813Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:51.085{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA4E19C16DAAE82032D5A03BD09B5DA,SHA256=9776A0601037ACBBC758EE4705F6288F2CF192CBF4923DE1EEFE78509B67687A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395983Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:52.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E003CBFB797125A24D3EB7DAB4E8AE3,SHA256=8F3CD2ACDEB5BB3C425AAB10B8EA32B7D2649D3F37765BCA8A063F4FD67A68BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450814Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:52.099{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0830C1EA657B426331AAD602A954D3,SHA256=9C5F642A253AA0AF662057080AEE30DDD251596689E575B982AB06350E21868E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450815Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:53.114{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5A40420A2B5FB02377CC09DFC9F3D8,SHA256=E1EAD9DD7EEC9287EE7789DDE230A9DDA4535A8BE48B590D4AB83112D4A535D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395984Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:53.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EB132CC95591D92444A83EE4FA139F,SHA256=BE4BB17209421D6FC4F492342365DEC1AFEEE7873866919583C11FA454B84513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450816Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:54.128{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DF77FA1210F73AC42D42A2070BF7A6,SHA256=57C026490B1E794A68736A4B4BFD20886CEEB8897F16013C170C6388CD0A799D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395985Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:54.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D60A77B97BF140B1D0193ABD7F8997E,SHA256=65A48B199D29A56C7F3B00455317CA6C855A0E7481C57083644BFFCBD5AC4391,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450818Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:53.512{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450817Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:55.143{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8E93F08FCF54D3A864BCF6A71B51B6,SHA256=3DD07FD99A860972C4B28CB54054003C2124E8923719E27B7547B1E6AB05332A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395990Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:53.859{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-63148-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000395989Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:53.289{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53770-false10.0.1.12-8000- 23542300x8000000000000000395988Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:55.504{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66DA205A9529567A5EA0F29C0F32340E,SHA256=FF3E02F618424BED771BFA6C65A1137707FB7E343CC2BC7B0B0F9B3E60B84AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395987Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:55.504{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=692DC1D58905EA3190FD261793D4B490,SHA256=27C17CD66CE5A6E81BB2312C6670EE92796C27AD667717FCAF83A56F89BF9C14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395986Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:55.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B41BA7AC180E90CA4DB6DF6098928F,SHA256=3E9356AD93C89510F2741DE76F5E36C2DB7122242D6EFFD2AA6D6E4DE11B014C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395991Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:56.113{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A451AE62DF029EB7B1A27B46CDC10391,SHA256=AB64A163839BA4DE81A39C2EC9220B80947B6BF625FA21D8B9D5D56508576494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450819Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:56.160{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4EA5F0970B4BF6B28517BD9D3A79B2,SHA256=450B352BFBDC812D99E351BC1F705C4F0445A428E5877ACC85D060CD0C8ED8B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395992Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:57.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5148486539D2ECBC9492AFE34C741AA4,SHA256=BD4BAB7E19FAC6D64BE6179DD09A9874987C7BD71C55A84907A780220D632FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450820Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:57.178{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C128A1D31A707BCA93A24A6C6CBBD4,SHA256=2548CA197490B18C15EA6CE3D18A965D81DE2676024037B89EEFCC27BC7C9A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450821Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:58.193{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34957727B28167DF8DFA90B5CE9DFBB6,SHA256=B5C2B91A110F89DE2E6475BDDD7ABEE01A0BC7DBABCEF2E968155EF582590C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395993Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:58.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9815DDF90D0DD6BFE50FB03F526BD39A,SHA256=6078EF6D6D1D3462AA86B934E9B0D03A519EA2058D845C5F47DAE153632512D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450839Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.909{D694AEB8-060F-60E3-BB0A-00000000D301}56406060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450838Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.724{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-060F-60E3-BB0A-00000000D301}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450837Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.724{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450836Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.724{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450835Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.724{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450834Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.724{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450833Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.724{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-060F-60E3-BB0A-00000000D301}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450832Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.724{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-060F-60E3-BB0A-00000000D301}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450831Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.725{D694AEB8-060F-60E3-BB0A-00000000D301}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450830Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.194{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE7EE8D6FBCE733146635C0AB8DA01C,SHA256=5E5C6AC3DFB2A6477259DD21BF297B821D771F1F218777D1519329462D578CF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000395995Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:58.320{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53771-false10.0.1.12-8000- 23542300x8000000000000000395994Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:15:59.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D704FC896ECEF09BA5D24192D6A933,SHA256=E827DFC05B86AEAE10270DAD985E4091C0D61A93B04F153EC055CADF3D4DE362,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450829Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.061{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-060F-60E3-BA0A-00000000D301}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450828Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.059{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450827Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.059{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450826Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.059{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450825Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.059{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450824Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.059{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-060F-60E3-BA0A-00000000D301}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450823Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.058{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-060F-60E3-BA0A-00000000D301}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450822Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.057{D694AEB8-060F-60E3-BA0A-00000000D301}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001450850Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:00.409{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0610-60E3-BC0A-00000000D301}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450849Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:00.409{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450848Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:00.409{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450847Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:00.409{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450846Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:00.409{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450845Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:00.409{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0610-60E3-BC0A-00000000D301}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450844Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:00.409{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0610-60E3-BC0A-00000000D301}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450843Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:00.410{D694AEB8-0610-60E3-BC0A-00000000D301}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450842Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:00.225{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383BC887A36DCC1841D57EF9CF9FA32E,SHA256=C38642E9A6F372A0DB811B839328D56BB0A7A03C82378DDE8E01B6DC3CC0FDB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395996Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:00.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C465BB7E74D69FFC9656ACD291AADA9,SHA256=FD455CE7536068AA961C638BF351E024649C0735D25790E1399A43CDBDF86DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450841Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:00.109{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02FAF5BCC89615DFE75657A3F73EB40F,SHA256=E5500DA94E85030BD082A2472D0BD47DF16F28F237C0E7B1746FF3C087333C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450840Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:00.109{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597358AD86AFB0FD10FAFE0BFA4B78BC,SHA256=30DCF58BB28007E67672EB21EF7CF609C3BD5E680B7E7452FCB433802D493DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395997Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:01.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA913BA4B1980283ED689DBEA360398,SHA256=40173929F1127E58018334896785DAE50D781DC31BC018ABE3FB3D7774878B5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450853Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:15:59.509{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450852Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:01.439{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02FAF5BCC89615DFE75657A3F73EB40F,SHA256=E5500DA94E85030BD082A2472D0BD47DF16F28F237C0E7B1746FF3C087333C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450851Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:01.239{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8C56CE34BBF0086298F76BC2D3A23D,SHA256=5E828A8930EA02BA60ABC537D85D9529D78B468AFEA270EED95D986CF712790B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450862Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:02.875{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0612-60E3-BD0A-00000000D301}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450861Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:02.875{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450860Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:02.875{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450859Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:02.875{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450858Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:02.875{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450857Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:02.875{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0612-60E3-BD0A-00000000D301}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450856Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:02.875{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0612-60E3-BD0A-00000000D301}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450855Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:02.876{D694AEB8-0612-60E3-BD0A-00000000D301}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450854Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:02.258{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDAF80E54F56C09727F4C5C889A707B,SHA256=30F0E284D693D0F57B1C01E5B7C3E8BF9C781751F5521C366F603BF1FC6BD9E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395998Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:02.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678139CD87E10D2F9B78E14BAAB9F12F,SHA256=ADE0B1FB2DE4104A658888273A4643F0343A77B6C95A9C0BB8BD5845EE154044,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450873Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:03.606{D694AEB8-0613-60E3-BE0A-00000000D301}45204740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450872Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:03.458{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0613-60E3-BE0A-00000000D301}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450871Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:03.457{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450870Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:03.457{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450869Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:03.456{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450868Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:03.456{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450867Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:03.456{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0613-60E3-BE0A-00000000D301}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450866Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:03.456{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0613-60E3-BE0A-00000000D301}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450865Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:03.455{D694AEB8-0613-60E3-BE0A-00000000D301}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450864Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:03.274{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA70196AACEECCF2D2C18EF5A74F70EA,SHA256=9D073655363651039A6676FBB37A4CF4CA1871F6111FF26324905373ECF98B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000395999Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:03.129{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE89A26B4D14795726A293C53BCF9C18,SHA256=8EB10B1FE0DF064E7BEA51DD09A88926DE07CE6917D2A44A63126BDA25F397AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450863Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:03.037{D694AEB8-0612-60E3-BD0A-00000000D301}61524496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000396000Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:04.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1067F99346E447293513667ABC29BBEC,SHA256=C8D33AD55CD078A5698867092A4D4126A08ECCD42BF1E2415B50D37E0BDF5332,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450892Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.972{D694AEB8-0614-60E3-C00A-00000000D301}40926032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450891Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.820{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0614-60E3-C00A-00000000D301}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450890Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.820{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450889Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.820{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450888Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.820{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450887Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.820{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450886Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.820{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0614-60E3-C00A-00000000D301}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450885Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.820{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0614-60E3-C00A-00000000D301}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450884Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.821{D694AEB8-0614-60E3-C00A-00000000D301}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450883Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.289{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96EBAC1B05DC358A30CCCF5B32555F06,SHA256=32830BD072DDAB6A869041F7A818031B6D78D2703419E505E7400BA07C54926F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450882Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.156{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0614-60E3-BF0A-00000000D301}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450881Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.156{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450880Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.155{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450879Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.155{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450878Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.154{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450877Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.154{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0614-60E3-BF0A-00000000D301}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450876Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.154{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0614-60E3-BF0A-00000000D301}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001450875Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.153{D694AEB8-0614-60E3-BF0A-00000000D301}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450874Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:04.074{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21DFACF3372BC7FC6E86A0FE2FC09058,SHA256=575A0C76A4C0C9E4537B3E52857BA92E41B35C26EEA4D3667C8586C75F94430C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396002Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:05.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9077ABF497CA375DF70EDF011A3A468,SHA256=499A67D8545919A4D00D5A03F3AE95A5C0AFD344D7E2D8D501C1DD8675A7FAFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450896Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:03.206{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54391-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001450895Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:03.206{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54391-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001450894Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:05.335{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5051E66DA8C531023F0A353F3E7D52B0,SHA256=71681121F623D200F560E8D14D9DC23CD1A04694E929DB9F38444B581627FA15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396001Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:03.321{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53772-false10.0.1.12-8000- 23542300x80000000000000001450893Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:05.172{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D5099B8E3BC36ECCDAE52E1D8759E7B,SHA256=66BAFCDEA8D69451A8A5F1C74B244B85DAEEA952F0A463035CA92CEF6217C382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450926Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.502{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF221B0959569E7BE1B8D1137C4B2B0,SHA256=9C7AFE722DB697EDF7543373AE521EAAF0832C67F76EA1123A931CBEE2427265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396003Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:06.145{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC9DBC3C99B194D43C9B363D7342593,SHA256=518886DB6E558BC7DA0FB87AF3563C3A290FF7CC0F910EFCEBBC95E7340695F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450925Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450924Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450923Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450922Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450921Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450920Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450919Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450918Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450917Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450916Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450915Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450914Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450913Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450912Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.151{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450911Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.150{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450910Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.150{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450909Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.150{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450908Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.150{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450907Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.150{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450906Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.150{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450905Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.150{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450904Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.150{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450903Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.150{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450902Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.150{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450901Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.150{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450900Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.150{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450899Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.150{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450898Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.149{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001450897Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:06.149{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001450928Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:05.506{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54392-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450927Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:07.569{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD7B9155DC0010F843864CE301E3ADF,SHA256=9F407F1EC1F4E292539809061B3DD01C51CD37E2C6313830DBF264FB96B4AC03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396004Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:07.160{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E068A7A7CBD62DEE014558D6C2C1AA,SHA256=464A90D831E8D8173420D19408D1F5997B8AC135B58DBA5665A4687E12D08797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450929Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:08.569{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B0C9F4EAD43B5BAC313835251CD2CD,SHA256=5DD701CA9FC635A62AE1BCFB635E4DC4158D7610B2AF725D9966E6F0589EB544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396005Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:08.160{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F43A5262FE3A1C1F74B52A67F25C40E,SHA256=2AE8E80336A32FFA7336762439EC5372B0F4D53C42A2A86C0A66E6CCA56EF742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450930Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:09.584{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1643BE4B9DDAE74DB4271D6B95D02E,SHA256=498FDF36C3AD22AAFA6B1A1E0FB3252E6BAC54EF392BA60B00CE3A040518B355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396006Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:09.160{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2FF7ACDADF3F1A64201B773B6272F95,SHA256=EAFD15E7926AA56637A0BB446347EF6D5AFE6940D5159FC192AFD1D53404D4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450931Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:10.598{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A538FB5DDEA49D1C93CD4351A4C802,SHA256=20DCD97FB68A3FD4591E385158196D913AD3A68E9930EC790F39CBD8F8E0D254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396007Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:10.160{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752167A218F467658806C3EA616CD333,SHA256=B31E1472493BFAE89FC3940A512CE57C775F49813D4DB8FC9FF5B72FA69BC5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450932Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:11.613{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807BE3D1740649CDDD29E6C3265B5994,SHA256=FC57C8F27E195E7AB038523D08BD90C3834BE7461B6E17A7F13095DF8A9B89AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396009Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:09.352{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53773-false10.0.1.12-8000- 23542300x8000000000000000396008Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:11.160{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED931ABC471E8F66D4B3771533757C8,SHA256=7818E2170E937329811F9748AB3AF4D59D80A460F9EB2F45A84A2843C888B869,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450934Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:10.520{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54393-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450933Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:12.613{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90424F8269035C30193C3961EADC3428,SHA256=A71851F0B591D3DA0522387213A5487611A47EC3E0D9759DBE41F730CCF66CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396010Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:12.160{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14645FA6F5931214CB4CA49D5455879,SHA256=582F1FAE8325A03C7479414417E41C0187185D535B15EC01265BBCF1CD79DEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450935Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:13.628{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20081078ABD0379576B9B2A67B413F25,SHA256=1983A9F9DD5DA0849EBCB6D19B19C8A3BF90BBF76231DA51602CAFB30CBFEF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396011Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:13.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F7CB1B9D920722483DDCFA1D6C25E3,SHA256=E6EDF2EE1940D40CB7BD1AEB880E115209B413CE4A19864490265C7F6FC21ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450936Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:14.645{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3DF59139F6738413C26D13F9DDBC5B,SHA256=DD4B0D881B284DA38C059C5C5F07EB6FF045E5894E366E62C025CA1A94B87C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396012Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:14.582{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68A7BDAB530F4A1A94574FC30E74389,SHA256=65814B87DD941DA66D5E9A7CABF04496E0E2D5672C65481D30932343DA36555E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450937Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:15.663{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687A97C2310724E5082D7722C279FEB3,SHA256=72FB7BB742A5F763D53B4D6AE93B40EC2014658182660073C35AB638E64583DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396013Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:15.598{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111726BFA7E6F2A9E3CB187E5AA8C964,SHA256=4CD5FD652492462263C3577A72FF3BEB34BCBAFB08885FBEBC6B4D0C4FB3EEB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396014Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:16.627{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F9EDB9E5532C7AA57DF1C8904BF17C,SHA256=2A3F21CF5F5074B263E67BF9101CBBE836F6195DBF30E4DF979D6EF0A26FCEF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450938Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:16.678{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3759E054AADCE70DBA1354299B3C306,SHA256=EC0B0756C77433DDA900A4057544D0E6D9C227C8EB093A2A60FA6736A1F90938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450939Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:17.692{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A8816247CFC5C3E5319EC4559689EB,SHA256=86EF0FCFA63C9D3FB0ED96B6E979E6543A7A522DC6135BEEBAA6CD1069D15457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396016Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:17.644{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D180A11795872BFFC7C345460E6AE90,SHA256=4AB6001776571758862C9E70BF79D9C25778B4BBF8E2A055871FE29F17E13311,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396015Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:15.274{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53774-false10.0.1.12-8000- 354300x80000000000000001450941Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:16.530{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54394-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450940Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:18.722{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9978382E1DC0266B30249414A16452,SHA256=763CC9F9A63F1D7D3FF9A7674B8099153D906C0D7315538042CB2FC0ED754AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396017Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:18.644{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878D5770DD9A5F56AF67C1543EB8BF8E,SHA256=B29E3C5FE40677F746C3AB3ED99535CD478E958F013EAE26E5463CC48DEECA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450942Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:19.759{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F4302C8268B81D7F8E373608D2684A,SHA256=3D5222C1D1DC62D557E55E298A9A353C402399D017A58CD8A84F80875C2F44F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396018Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:19.660{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45A0B76E6D1FA7CBBCB5408E49B63EC,SHA256=41F73290BF9EAF62B675954E83D8DE030E3E4333B2DD672957C8EFCE5337EBB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396019Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:20.660{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953904279B97221813AB63C171AA071F,SHA256=E6E8864C8BE8992BC25B0927A7BFB1B9F376664DAF739091373C164ED58C68A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450946Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:20.774{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1636A8F6A2A8D6B0C66AD623B2D47E67,SHA256=CA58143C675DF76D8DFFD2537522D80A8266053847C7FE0F462BC35728794056,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001450945Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:16:20.274{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001450944Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:16:20.274{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001450943Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:16:20.274{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 354300x80000000000000001450956Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:19.750{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54397-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001450955Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:19.750{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54397-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001450954Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:19.743{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54396-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001450953Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:19.743{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54396-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001450952Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:19.728{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54395-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001450951Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:19.728{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54395-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001450950Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:21.789{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F828FC8057EB055ECD1E158726CC6B27,SHA256=9384462F619A3683431B21B321CB05AD15BDFCC7D64FDF14CFDAECBA8F317B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396020Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:21.660{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE329142508CEDB4CA2DC6949F8AC08,SHA256=ADFDD17C1EFB232EDBB7D3EF167415D9850090229BE0475B39BAB049D33460D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450949Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:21.420{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5797A9AD86EB7FD45040D2A7C27915A,SHA256=92FE08F5E9A0FA434DF065620B7ED83D351F3C6BBF08164AEE77AD1EA81E3F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450948Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:21.420{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA8A7A5255AC0C8ED68FA36CFE7C78CF,SHA256=06BE4A7143B6DBACD5D7A23199CF5B48009053074B46E53B4FBC656FDE7CFFC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001450947Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:21.105{D694AEB8-B3E8-60E2-0B00-00000000D301}6566904C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001450962Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:22.804{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D1B2338CFA23C174274E3EAE661642,SHA256=A14FA818BF26638986B2646D64CE987C966C059AAD41A02EF3192C0E2CC6D8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396022Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:22.660{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C240A663328A8D35ABFC9288C4DD5A,SHA256=83E5B51DFB391B0DB0C8FDF4561096CA0CE4C4AAD0903EA6482BFC4ED54CB9F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450961Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:20.562{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54400-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001450960Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:20.453{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local54399-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001450959Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:20.453{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54399-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001450958Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:20.446{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54398-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001450957Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:20.446{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54398-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x8000000000000000396021Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:21.274{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53775-false10.0.1.12-8000- 23542300x80000000000000001450964Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:23.819{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A4DD00A0DC36F9D61CFB5D3421FABD,SHA256=5ADC52E98D9332F2DC07A9365542AA0DC56205C091D0690851A2C75DA1D849F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396023Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:23.676{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13D7EEE0B2D1B9902B542DEA4A0D1F7,SHA256=6C9FEAB04754D626BE206671561CE049B38C391A817460B6CD0C583146AFA7BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450963Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:20.562{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54400-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 23542300x80000000000000001450965Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:24.836{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21437A2FD40169E10A9EC0119D26B309,SHA256=B57636684D93261F94E0FEE90E0CCF3A29BA2A75EC6CF5E4044BC8A13B795E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:24.691{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07109CB3C70C9D5160FDE836C03EA05,SHA256=00D95FD9C5A15C5852B6FE81BD2016DA12A6870BCBB950690DED4EB222112895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450967Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:25.854{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61089BE21F8CDC117C015E0A95E281D,SHA256=EAC48FCDBC976619AB61B27DDC1F026CFABBFC4B5AAF4DA45ECBE26345985672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:25.691{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4836E4707A96DDFB1C84B8B99E1066FD,SHA256=5E76803634A6915D9D718C08AA22FE5AE2E9365E56B534EE808D0E02D260F903,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450966Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:22.542{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54401-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450968Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:26.884{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414B3B84CF9531F81D828F82ECE9E8F1,SHA256=543C6D31027DA1F502BC9EE69206C900186E121CE29EFBD1E2433D7FC9D55EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:26.707{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF155614072018C9001CEA2FACD1927,SHA256=C00F48ECC3739BDF457E4B248F639B6060A4198A5525E3A2F4114C628B110DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:26.285{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C9DF8907733081F08C98A4EBFEC56ED7,SHA256=4DAE4E9C84D42C4F10D1239E55042761791389150BE686448F1AEA227AF1AA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450969Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:27.899{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30664902BD6CC14FE271B21E6D3367DA,SHA256=1B1866F021C09FFBF330C99CB1F6E46EF5A9E7F5EA7EDB0DCE58B9C6448D91C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:27.707{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FFCA9345CCCB6DFED4F4828217D2A80,SHA256=554FAF0AC7E4E1F840200C35C6032EEF32EE92FEA111EA5DE4E42981001BD46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450970Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:28.914{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7084D75733D7C13CE4B9E38829AE1600,SHA256=74F7841FB6D2F4A5D4EFD6CA951556BC8A251F00014A1D06FD10371D4FBB6A69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:27.305{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53776-false10.0.1.12-8000- 23542300x8000000000000000396029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:28.707{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B2345BACB0E2C192BB1EE15D8A582B,SHA256=135A96FDDBC01AFF6F4F622DB0EB248D5F40879C9432A72AA94C13697BBE307A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450971Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:29.932{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59AF5CC286A26360883492A474E6CCB0,SHA256=E88E984C9EF430267FCA1730158976DA8383A18FDFCFA608FBBEFFC3BB628C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:29.707{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B50E12A76362C2EE5DF5F85796374E,SHA256=29B9D9CCB219A7DEFDF43B23A4457071BEC5536C08292BC719F2E7FF1FEF6692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450974Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:30.950{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15DD8A10CED994645BD456FE09B837A,SHA256=A964ECBF2A1752B5F42F668CE62EFD3064616B38A366C1455652901D3A862D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:30.926{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:30.707{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B864633F752BC5016D111F99CFD8873,SHA256=CB5BC0CA17A32BA79C146D702ED20B52ADA0193CF8041DF00CE550D5F3B7DAFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450973Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:28.551{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54402-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450972Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:30.233{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450975Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:31.964{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC7EDDFC0C331A7580F7BC58225D7D3,SHA256=C837214B23EB79A8A2B58074AFC70CEA867B1BD7AC9B5652C96753EF26A2F147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:31.707{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39DED983B2C43CCB4F6279FC2C7F18C,SHA256=0050FA9FE42CC36714E76F6F33CC75F67C73BF568B5DA57C375CDA93D72B186A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450979Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:32.979{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1172D5AB2DC06096AC1A1B4C0A082466,SHA256=EFE072AE67917927CFDFA295CADFA8599AF81ED23F4175BCEDDB4B250836D56F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:32.723{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD33EB8C7DE5FB1DB1B448B403FAAF58,SHA256=292E94B6E42635C1D68736BFBC447B8B0C4058B17305653FE92091DFD51BE72E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450978Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:32.910{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56CBC548FDF8E73E56FCA249D5A12F37,SHA256=D8FCE70C133EA714E0DAE59AD95865D127A43820A65462C33DC4A094A702E9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450977Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:32.910{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5797A9AD86EB7FD45040D2A7C27915A,SHA256=92FE08F5E9A0FA434DF065620B7ED83D351F3C6BBF08164AEE77AD1EA81E3F22,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450976Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:29.666{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54403-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001450981Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:33.993{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6095D6DB63D1E1FB7D8F642F3FD335AC,SHA256=4D265EEE60653379A900A8715D210F0C52561ACDA359E118B4393253FCBC3379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:33.738{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2674605315416B9D1FD816A66794D7F1,SHA256=84E7B58859F757EEF88AC37A5E72F033EC1501398DF09E36E8D306192902B6C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450980Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:33.847{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=07270B4BC257B02AE1EC7C2B750DD0E9,SHA256=88C917CD7AF97C57FC4E695F729AD57FF0194ACC4F22A2368F94995CBD94C1BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:31.102{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53777-false10.0.1.12-8089- 23542300x8000000000000000396051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.754{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7766C81F5D5D1DF9AD076D4F5AA9FACA,SHA256=7E4B0C005DF6EE2FF521ABDFA7CF42794DD54F87B002DAA0CE76230B9B61C519,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.566{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0632-60E3-300A-00000000D401}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.566{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.566{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0632-60E3-300A-00000000D401}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.566{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0632-60E3-300A-00000000D401}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:34.567{7F1C7D0B-0632-60E3-300A-00000000D401}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.785{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9008CF39A3E5278B705B05054FB74E1B,SHA256=3D885B20BFCF5F6E303F2FE8013FF5A69696FBD24536789EDBF34696738F64D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.785{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66DA205A9529567A5EA0F29C0F32340E,SHA256=FF3E02F618424BED771BFA6C65A1137707FB7E343CC2BC7B0B0F9B3E60B84AD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.738{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0633-60E3-320A-00000000D401}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396072Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396071Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396070Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.738{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396069Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.738{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0633-60E3-320A-00000000D401}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396068Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.738{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0633-60E3-320A-00000000D401}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396067Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.739{7F1C7D0B-0633-60E3-320A-00000000D401}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000396066Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.238{7F1C7D0B-0633-60E3-310A-00000000D401}12322148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000396065Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:33.336{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53778-false10.0.1.12-8000- 10341000x8000000000000000396064Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.066{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0633-60E3-310A-00000000D401}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396063Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.066{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.066{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.066{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.066{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.066{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.066{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.066{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.066{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.066{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.066{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0633-60E3-310A-00000000D401}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.066{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0633-60E3-310A-00000000D401}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:35.067{7F1C7D0B-0633-60E3-310A-00000000D401}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450982Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:35.008{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8285B8DA8EEC2BAB0C05E71CE7B5E04B,SHA256=36420C1C454BE3E887DAC2D4741615F19287B6A71A9FF8DF094EACFADD491D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:36.832{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE26A1BEE3AF95457E6F98247A309CE9,SHA256=CDA5922FDE8F983E9DE2EDEEB00A6020C805873E33A9380C152E1B237A3D6819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:36.207{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EDCBBF7F99D3E266D414D0A10526EA7,SHA256=8FD52156D3F12534EFE5C2AD73BDE140AF28EFAEC36706A7DFC14262E84D283C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450984Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:34.561{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54404-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450983Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:36.024{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6433370987EC99D0D3A5E7568436B809,SHA256=E3CE68CE6601D8726CA5428E5D042FB3DD008378B4EA9B3C45AE72C8D9E53CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:37.832{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C4F7BE577162AA9A2185721E2B00E9,SHA256=287AD954A5A9B98A6FE979DBD715BD3DA61B7D15BF4BB84F5490AF126D86CBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450985Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:37.043{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6193BB7DD0D690EEFAFB17A45EE6C260,SHA256=7BD302CA011C4BA699BCB7B00B15840BEBA3F533CB8F9FB306146202B0D91881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:38.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3795C3E95D2CE95E072C8AEB16D4A6,SHA256=FE658310AC87EE4AB085B56DFF5A5E6FF035793C688DA77D19DB80A521BDD462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450986Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:38.073{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4646EB2B7945249D7D8F8C934F7ABD2,SHA256=47AED407264B835BFE05CE1B959BCBCADA9EE0B389BB158203E414F01BD232D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396113Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.926{7F1C7D0B-0637-60E3-340A-00000000D401}40883632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001450987Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:39.087{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34713C0F9C6B2314231CC6DC87264D9,SHA256=96DBC579EF62E0A3DFA8D536BE229431BB1968C08DA8313864EE6D054B2FF6D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396112Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.629{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0637-60E3-340A-00000000D401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396111Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.613{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396110Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.613{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396109Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.613{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396108Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.613{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396107Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.613{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396106Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.613{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396105Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.613{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.613{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.613{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.613{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0637-60E3-340A-00000000D401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.613{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0637-60E3-340A-00000000D401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.618{7F1C7D0B-0637-60E3-340A-00000000D401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000396099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.441{7F1C7D0B-0637-60E3-330A-00000000D401}20203452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.113{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0637-60E3-330A-00000000D401}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.113{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0637-60E3-330A-00000000D401}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.113{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0637-60E3-330A-00000000D401}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.114{7F1C7D0B-0637-60E3-330A-00000000D401}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001450988Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:40.102{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6281816641F720B8F765D7701D77CB8,SHA256=2FA9BA22D6A39F88E97C7948BCB8634CEF5909C53061D14CEC4AEE39028A26B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.785{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0638-60E3-360A-00000000D401}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.785{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.785{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0638-60E3-360A-00000000D401}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.785{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0638-60E3-360A-00000000D401}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.786{7F1C7D0B-0638-60E3-360A-00000000D401}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000396130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.301{7F1C7D0B-0638-60E3-350A-00000000D401}13281324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000396129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.254{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9008CF39A3E5278B705B05054FB74E1B,SHA256=3D885B20BFCF5F6E303F2FE8013FF5A69696FBD24536789EDBF34696738F64D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.254{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D122DA9536425E04C9AE293B15FEC2,SHA256=899E16C58C1CBA9E3574D61244E21D239E49F61CC9DA615078890BB3B0DA58E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:39.337{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53779-false10.0.1.12-8000- 10341000x8000000000000000396126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.113{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0638-60E3-350A-00000000D401}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.113{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.113{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0638-60E3-350A-00000000D401}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.113{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0638-60E3-350A-00000000D401}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396114Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:40.114{7F1C7D0B-0638-60E3-350A-00000000D401}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:41.832{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA8891FEAB4BA11B3EB82BEB2EDC4D62,SHA256=9E6D28E55E0AF052B539030F57ACDDB9DB4C6C849680A6956D2C24F1ADAC69B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:41.394{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E2F59CC70F6C54BB805AB148710102,SHA256=1BABCC28C1E96B7BE476C52DF3E40B13091A6B2EBB75CCC394FA15E25FB2926B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450989Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:41.120{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EB46D043855A5AEC56D3E0B41E5AC3,SHA256=6F58CA0DA9A30B201CDC26D6B3C846D969F6F799E89D40C5B563AE718B2340E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:42.520{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EAF1C18C2D652D850D91A13F7FA453,SHA256=28BA8244A5E4DFFE57A1E8F76BFFA5915B77B374ACDE75647E76CC3711879F58,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450991Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:40.574{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54405-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450990Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:42.137{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F8D2FE4CAA7DDAF8ECCFB6CE16DF51C,SHA256=B47162DCE14459A3E9AA70DAC13A3FA14DAF7A22869164E583A24337393323AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:43.551{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580850FA637459FAD2A55C96C015AE7E,SHA256=247584756A8CC19E8AFB1375E65641EBA24F8F785AA971C40CFFB20B0DBBC969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450992Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:43.168{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CFC4507B30A6360DC02311ADCEF8BC,SHA256=4A617B820F12D1CD6483EEBA26D7C4266816D0667A955E6A40106FBB3D72A7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:44.566{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B322C86FB7152DC3A673BE1B8EC72A71,SHA256=ABCA58724BB3AB086F263089499D7F5D918EF332EFE1DC49BEB0CB5EDAE04701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450993Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:44.183{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F49A2FC70F3AEA957DBA209A4F8ABC,SHA256=626A4543FB6751572C684F4C102A44EF0459131CD98C2C804E7BBC5CEADE433E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450994Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:45.198{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F959E7A89315A71B50AFB123F963E2ED,SHA256=C6E129920E763F0915D7EA5503F44606CC2649C73ED8D9A5A7AAA7C92D5EF64E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:45.566{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C9B7E652B4A8D6082C732B369E1B55,SHA256=83D6EB437594921D548C20532BA7285C57F39CE80C2455FC1AF4035A274AD0FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:46.645{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6D52D04C192701AB8E856C2E931F62,SHA256=CE8072940AC2AFD850E6D306497F1485EC87EFFE02D716107DC9024442EC90C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450995Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:46.215{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9772CF2C8C7AF81A8FD20443965355D0,SHA256=F36D21CF4C383AC370FBFD3135C4B1A9A67BC588A7E86FBA00644241EC0D6C1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:45.336{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53780-false10.0.1.12-8000- 23542300x8000000000000000396152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:47.645{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B0B5B89F9439C9A71462BBDCED3AD9,SHA256=E5F6364E33FA267C05C5B16C8BCA3494149380603400788A39BFEA064396C42A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450996Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:47.233{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F3BC1A409D4AAFD0C253C9145337C7,SHA256=21DD9BA870001F8C91E436CC12F5907F26B3A0EA70AB77CF7B4A5FD75F96CBE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:48.801{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21786AC47C4863EAB7ABB64D89ACFBF8,SHA256=04CC4DFC2514AD53C7494877141E4C987D490822585665B4169FD46043C72C1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001450998Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:46.602{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54406-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001450997Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:48.265{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5703D9801B1BF7D41ABE3AABA2F8FBAF,SHA256=B2B8705F1BC80EA341D4A19FE3827BFDC4925E03E4C19F1B9161629DB25C33BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:49.801{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97DA62CF13723694CECF902926F8C2D,SHA256=F2830CE7B0C84B8E701F14EA1DDD72B288A974A7B75850A718236DA1771E16A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001450999Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:49.266{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CEE7E5D6D154EFA6449BAB3DCD8808,SHA256=A3B3C5CAAD07BD6C903C98872B20612837497302BFABD278D5C5E9095D277BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:50.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FC8D0F0D22D4790F46B2635CC94FE4,SHA256=2637579780608BC52FAB208913C94808AD675559F72E62C2BEBEB8C612841100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451000Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:50.281{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56570C8149180FDC11434F656DD6C77,SHA256=8D4005A6E0447D286B06D5D2057044AFD3126EC67DF876BB71A3E08100E46835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:51.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7899CC1CC9D6774833B1B01195468908,SHA256=925865CCC38520DA8EF49D5D94E5A7E98AFA40B3D1BB4630625804E8522F0327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451001Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:51.296{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5EF5CCE984AD003A20D434E95C12099,SHA256=0A50DC13F3C15251EB094BC168581D40C833098E086CCFCD588DF80FC6655552,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:51.305{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53781-false10.0.1.12-8000- 23542300x8000000000000000396157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:52.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA23DC59700989A3406459C788159594,SHA256=607CC70BBC2F152801BF2284C267944F788D909DC1F57522F4971477F2948B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451002Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:52.332{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE36C1B6000A65005812098B88932B1C,SHA256=BB2EEB39C4E822FA4A8A5ACA5A6F27F608DD48DBDB01FA09DB10F66E67FE0658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:53.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5EE095348D1F77333B140355074ED6,SHA256=64D272126E14E84B06D62FEA65B8FFDB2BFF5A4765082347DAE07872E6299D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451003Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:53.334{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2A189B6122343981443679E8FE84DB,SHA256=C8EF3F394283482AA2B7F6342DF124E659EE89AEDC07AE8BF989603F3D1BF021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:54.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D71BDA7A51D52E8F6012F5AD360A03,SHA256=42231F4CB4D0D09648C1B2CA6F1A7738A2C7D5631B86020D4CC58E9027C10EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451004Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:54.348{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63A303D84D1297423006CC47C26A5E5,SHA256=783C9B1D727D9AF89712ED8B847383A29619DFCF269F999C582DB1CF22C25ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:55.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A88CBC46C124C7D205E728F3DBB8F2E,SHA256=1805182C431ED94F66F335D348B7180B76880FB5279DF157177577C217D422DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451006Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:55.364{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0151120497324834B7FCE25CE9A8ED9E,SHA256=45D997A28CFA4DEFF516148B1193D8DB25FE08D20B84F9B7332AFA3E9907651E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451005Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:52.602{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54407-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000396165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:56.910{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A35F2D6F24173EE0ECCE2204369B0E9,SHA256=7007FB0551A334C884E39A1F5F15D768BEE06507724437B9E6E36F3952511C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451007Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:56.394{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3255AF4FDCFB3BCEB8923D86A01997D2,SHA256=7BE2EFE792E34E9420EBC4337BE392F9C2CD141E36D1D7A750DBC25D9BFC6320,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:55.048{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-49727-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000396163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:56.176{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DDC56503F76860ACD13E32BF945194C,SHA256=D0BD6B7976D9AE4AC2785A69F1C951419A4A257B68E028FA015F6CEFFF69EBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:56.176{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B1C890A18B046A4794158DFA0BD0BAC,SHA256=2C9EC40B53B2D04DDF23DF01FE31C918292D7E6BC1490CDD8876349198A7D351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:57.910{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C487F5E241925847E2B67A85E3840B,SHA256=1E9746E858EF5FFC99ACB09C276CE2713478C87C6D3BC92807C6FA9262A3CA5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451008Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:57.494{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED02000DF70ABDBD04EFF8D81D04DAC,SHA256=02F0EC55B1701C026AFDD8D6CB3E74A34C2F504DCE197398ABC8B4FD3F9F31D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:58.926{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0FB5B6336DAD5D99964E429D505C89,SHA256=6EA8C1FBBE2228FBB705936C3612412C5AD61B3CAB07C42267ABA6C2B41B41AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451009Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:58.512{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520A48C78EF2FDF6442C9FB0882A5A7C,SHA256=8C9EDAF6040EE84DF6D2DDE1C178079660C3DBBBDE79BC1C78E618C2597BD857,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451027Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.929{D694AEB8-064B-60E3-C20A-00000000D301}51321908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451026Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.729{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-064B-60E3-C20A-00000000D301}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451025Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.729{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451024Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.729{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451023Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.729{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451022Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.729{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451021Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.729{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-064B-60E3-C20A-00000000D301}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451020Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.729{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-064B-60E3-C20A-00000000D301}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451019Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.730{D694AEB8-064B-60E3-C20A-00000000D301}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451018Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.529{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA7856E5F92CEC6817B16024C0EFA1D,SHA256=11A24EBD495DE6E37D4A0E01BB9F6A63F85A7BD8EEDF05EFCDFABEE815A18D61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:16:57.321{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53782-false10.0.1.12-8000- 10341000x80000000000000001451017Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.061{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-064B-60E3-C10A-00000000D301}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451016Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.061{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451015Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.061{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451014Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.061{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451013Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.061{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451012Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.061{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-064B-60E3-C10A-00000000D301}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451011Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.061{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-064B-60E3-C10A-00000000D301}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451010Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:59.061{D694AEB8-064B-60E3-C10A-00000000D301}6488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451039Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:00.544{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F4FB3DE6662663A5371844C24AB38D,SHA256=92BD7CBF8B8442D8FAC97E9B8B8F7749449ED01A6455C0D7A4D6B13D9F2E9188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:00.066{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2100657245A66A0768A6CD036042CB,SHA256=C7F3E51F66023E471889B301F98CF7C9E6843EFC35D4471B1D36DCE61C1A3D7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451038Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:00.391{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-064C-60E3-C30A-00000000D301}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451037Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:00.391{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451036Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:00.391{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451035Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:00.391{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451034Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:00.391{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451033Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:00.391{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-064C-60E3-C30A-00000000D301}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451032Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:00.391{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-064C-60E3-C30A-00000000D301}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451031Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:00.392{D694AEB8-064C-60E3-C30A-00000000D301}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001451030Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:16:57.615{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54408-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451029Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:00.076{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6A0D42D185324578982B631ECBAD039,SHA256=5CC33FF6375DE1E250CF5F6060C9F9294E5CED68FF0A58BA861461CAA4076FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451028Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:00.076{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56CBC548FDF8E73E56FCA249D5A12F37,SHA256=D8FCE70C133EA714E0DAE59AD95865D127A43820A65462C33DC4A094A702E9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451041Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:01.590{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57D7740E131CDCF89C0FB9E22B800BF,SHA256=9DDC093E8EB9056CA8A3359BD9D89DB0D2E8AF13653D445F31874ED5D4981A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:01.082{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5771E803986FD83F2C8A836383190BED,SHA256=C3829B13BE3D077EF295E6178C178F85A8AFAE6A0BE0B8329BEAE3E62090FE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451040Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:01.409{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6A0D42D185324578982B631ECBAD039,SHA256=5CC33FF6375DE1E250CF5F6060C9F9294E5CED68FF0A58BA861461CAA4076FDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451050Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:02.872{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-064E-60E3-C40A-00000000D301}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451049Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:02.872{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451048Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:02.872{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451047Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:02.872{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451046Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:02.872{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451045Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:02.872{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-064E-60E3-C40A-00000000D301}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451044Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:02.872{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-064E-60E3-C40A-00000000D301}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451043Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:02.873{D694AEB8-064E-60E3-C40A-00000000D301}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451042Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:02.607{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E181361DB1CFE154319DAB797A5C5353,SHA256=6496E5CFD75710F5C3F1D0B27EC119E762710C1A5E942F90009F8F73DA982B50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:01.463{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-53352-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000396173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:02.504{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75A0FC3F0EAE34F723D26ED11D6DD4F8,SHA256=6C7AC4B187225D952EF54625B59F85A7AA3DDB50C1EF7F35D837DF490A5FBA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:02.504{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DDC56503F76860ACD13E32BF945194C,SHA256=D0BD6B7976D9AE4AC2785A69F1C951419A4A257B68E028FA015F6CEFFF69EBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:02.098{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF9135DD4F57CA935D36A0A8245E08D,SHA256=6A8E1587AE024B184D731E87019F38516CF0E6414FB24CEAE7BA12ED6AA599DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451062Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.896{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FBB6CADFC2AFDE676188805F9F43FB6,SHA256=746DD3D06FED8BC5BC7686DF28D6E25C82B05D80788CE05CD845B50B8231C87E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451061Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.713{D694AEB8-064F-60E3-C50A-00000000D301}43922544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451060Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.628{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999084AC8889BCFB1478388CAC174698,SHA256=84AC773E23599810D589FFF6A3A1F873FE6BC7F7E73E418F09EA9248DC0FAB97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:02.352{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53783-false10.0.1.12-8000- 23542300x8000000000000000396175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:03.098{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08B4823317702735EC8F98D4F1537B0,SHA256=18E0DD5F49B3A18E2BC2561873F5D11C6F8E9E1498572B53E00E77B057C8A316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451059Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.544{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-064F-60E3-C50A-00000000D301}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451058Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.544{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451057Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.544{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451056Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.544{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451055Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.544{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451054Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.544{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-064F-60E3-C50A-00000000D301}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451053Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.544{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-064F-60E3-C50A-00000000D301}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451052Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.545{D694AEB8-064F-60E3-C50A-00000000D301}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001451051Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.099{D694AEB8-064E-60E3-C40A-00000000D301}45046008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451080Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.848{D694AEB8-0650-60E3-C70A-00000000D301}54125468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451079Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.679{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0650-60E3-C70A-00000000D301}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451078Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.679{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451077Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.679{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451076Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.679{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451075Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.679{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451074Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.679{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0650-60E3-C70A-00000000D301}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451073Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.679{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0650-60E3-C70A-00000000D301}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451072Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.681{D694AEB8-0650-60E3-C70A-00000000D301}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451071Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.632{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7625433163DAE9473E379E02E273B5C0,SHA256=217A27D4B9539018683DAF5D13B8B9E7F7DE2D754336B98D56527A4B5F77CC66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:04.176{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCB3E869A60E968D6F8C4D4412768EE,SHA256=338712EF3A0B71DEF79843B781F9CA6DD6A7D93AD3CA0C1A0110BA37F824D5EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451070Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.065{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0650-60E3-C60A-00000000D301}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451069Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.065{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451068Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.065{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451067Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.065{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451066Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.065{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451065Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.065{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0650-60E3-C60A-00000000D301}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451064Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.065{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0650-60E3-C60A-00000000D301}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451063Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:04.066{D694AEB8-0650-60E3-C60A-00000000D301}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451084Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:05.663{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5CC9029475122EE9CC1EA6329E9F0A,SHA256=ADA122FDA4166E594C3E6E1E001135A63DC444A415F42F2BC163C5B83E626174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396178Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:05.301{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68180179A71CD3CDA3047F4E3E548A1B,SHA256=119ADFB463082BCF64DE5E9D83FC3F94E68814C2E958CF49AA9D4C90EEFDC347,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451083Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.214{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54409-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001451082Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.213{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54409-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001451081Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:05.079{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8994466B3B2B121B0308B90E96214EA2,SHA256=01711FFD63A40B1E82DBF7679FBA67D1D6646A31B681D05F4DB21C658A79BCBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451086Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:06.678{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17E54D5174612DFCDF75ECDD6F5EB77,SHA256=6AD6F33DA89209DC54530E4A5B9093945944395989037FD2E6C34A334666DF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396179Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:06.316{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EED63F2547C8DB795FFE41D3A477E11,SHA256=0A4EADF21C5F9A640753CF5F783540CCC437AB9A17005F55AE881A986C14CA1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451085Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:03.586{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54410-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451087Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:07.692{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441B4C0CDD44EF549D6A5684EF680615,SHA256=EE2FB8BC8F7E18DACCFC7D919D003B73379AF64030DDA54ACBCAC175D21AD4CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396180Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:07.316{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB921CB61F6A8C344518EC60753D60A,SHA256=0B4FDDD5A47439BDA656CDD60AAC4A51F5452A50625A04E62541D49DD8FFE4E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451088Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:08.709{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF03667F4937A891D01BB8E242DE5D4,SHA256=505DA2FBA83F0E6BFE2FE04A10569BB3447739872F8D5432B39066A26CB74101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396181Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:08.332{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F939B8BC0AFD2D87800C243C6DAC23AD,SHA256=F555A4C86C3917D3FBBB29DD4B600BA0ACC316F357EDB90B872F58119BBB4DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451089Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:09.728{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D444CB1C72A277100D9AD150499B7064,SHA256=408DC4765AC99DF4CB741722B0421EB537484A18475B343B8E0AA198D197B2C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396183Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:08.368{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53784-false10.0.1.12-8000- 23542300x8000000000000000396182Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:09.332{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5172BA4CAAF2A9DC6DB12DDDB337029,SHA256=ABCCFD686D05F41193468B0BDF42D0983FDFCD04F7D904458ACEA7BBA1BC4876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451090Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:10.742{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5A18755F4CC6557F165FBDE1FDB7D0,SHA256=AA40CAE6E6D5911F69A7073E47F2ECE0BC5ED3D8B8F1E6A9FC3F2F4641BAD774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396184Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:10.332{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A915259098FD4D4C4BD42C7CAF7AF1,SHA256=EC055FC8DD1B5D1734DDF2FBBDFAFAB9B11F88CA7BC3A44FCA64573A14F1C45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451091Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:11.756{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6871A7632C4DFB9FDF49CBF2AD0DA6C,SHA256=71D391F3986DEB633EA16584231439BB6B35E6AD923A680DD74174D361217A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396185Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:11.348{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349BE398FD230C320AD13453EFA63AEF,SHA256=3B7E9F572ECF8E7DFDBE6381785F63F1B45D505222C40A5501D22B8AD3085160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451093Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:12.771{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5200A605EA6EE27FDD345116C428CB7,SHA256=ACB316CD82D82D8BCD2977A819D5DB00116196B1DD8F405E03906CEF8D53F7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396186Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:12.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F63231272DEBE327A1B6B4958C5CE8,SHA256=5337DE1AA3A250758DA5CBF3FC16A6D015700D17600CD04910AD3002B5E16048,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451092Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:09.558{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54411-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451094Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:13.785{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A46EC1ED27D2022B25FC17A3A0FF52,SHA256=D9252A53DC7F8FC8A02E8F2DCD69E659ABA9C9EA2B8056DBFA1AACB7E9970441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396187Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:13.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DB9DC032728F7D35720200DD5654F9,SHA256=D317927347EC2325357B04D74BAE5E2DA091C1F5404BD2D1AFDA681AD9337428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451096Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:14.803{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3FA6D88AC484BD27F3B0987F5FB8F6,SHA256=A341B135C2639C1C0B5544916A1D6B076772252F92A2624B5502EC79E2B9EEAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:14.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23592AF64A3B48D3E9462FC9D37506F0,SHA256=50B5B66CA709277A979807B31FD44CEBF4BA6EE54F6E722093C82A82D4C18DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451095Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:14.569{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=162F32D0179C573C0827B5770E4CC27E,SHA256=1D7C82AD061BDB57DDE21C4DD6257CCD5A363B9A78AE03112DC60603C5476E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451097Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:15.821{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B76660ABB2AD77781EA97073EF921A7,SHA256=E4AC03B8BFE6F2D012255D2713B84C81C9E0E1AFCC39DBB329806598376BE161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:15.363{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBB041C06DCB3DD47B61611847FEE0A,SHA256=9C8B16D8016AEBA05706563259B2F0983F402FF778BDD34309CFC94B4D569A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451098Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:16.851{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0F524838462DDF3683FB9075C9B920,SHA256=32B9B40A5D17668DF5CB030C93F46D7EF46E815018C322B4F7A6FEECD380AC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:16.364{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83CDFFE603C4897C6C3F59813AC4EB5A,SHA256=2D9C3AEADB8DF100F42209F631BC452C14CBD61DD1BC279AC7F2A55270EF5E9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:14.337{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53785-false10.0.1.12-8000- 23542300x80000000000000001451100Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:17.865{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B93B783209F9C6FDD2715B379CA51B1,SHA256=97BA3AC303122333B112EF258B934112121F756578080A904DA97CB35123FB63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:17.377{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C3F44F35777E17392232151199B4A1,SHA256=F11156CC9F98969FCB56C4FAB93F857CCB716933DBBC8E2424918E16156B21E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451099Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:15.589{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54412-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451101Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:18.898{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E2239127699AB296D3E7D9033DFD88,SHA256=5C45E9208FC24C5272C9D73CEDB0408A2041798D3C42B43208A579207340F3C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:18.379{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99D558A1B3F72E8D33D045AC2EEE28F,SHA256=B68C4579075D6FC81F989970A8F5F5A8D234760A1030C222F69C6CD70D0808E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451102Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:19.916{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C4CF40F6723FECB1E7DD590D16164D,SHA256=01F571FE68591197983ADADEC56DBDB22EAEC8049B20792D596FCF808542D166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:19.395{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016A5E666B1409F536EE93E957B94569,SHA256=7A764471E1F847766D04DD2DC204CAA2B7F0B165055D5FA91D73F1A9C832653C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451103Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:20.932{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B7AFB91F92AE2622924945DB728C5E,SHA256=194B80C98D7C294EB5C6F53B60945E7E896E0EB530E0F88EB8ABD56BE8016BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:20.395{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1613786067887002B2F7A2691B2B52B,SHA256=02698E5DF01D2F6F16B11D262406E62D837B8E61A49F93B061CD8421D9DFB583,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451105Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:21.993{D694AEB8-B3EA-60E2-0D00-00000000D301}9166928C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451104Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:21.946{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD7190D548DAB241650168CCECBC0D3,SHA256=AE923051B40DC01DFA4674EEEE42B7AD23F9F959A204E849465FA841F7DA30B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:20.290{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53786-false10.0.1.12-8000- 23542300x8000000000000000396196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:21.395{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9051B789856B2F92AE20914955F13CC,SHA256=4D976D3D117C4EC1AB8DFDB4DB2F1C4B1F64B77357ED63E1C00F893B989DB708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451106Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:22.961{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268B5F17FB04D8DD9E45B795B1D2508A,SHA256=2DF9C17567933DFC5D8F70407A3C8D05887639356520861ADF268E9CA3D8466F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:22.395{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C595BD0F6889D6D2CB4583231618C800,SHA256=EE106E3505BEB9022CCAECB7C72189E9B4B535E3C29DFA143EA0F3AE1CFFF519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451108Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:23.975{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B5722CBCD91AB338CDF1C1397E7940,SHA256=BD8AA261AE453EBE5571A90601F25B4465A73AFF9F4468C58D699D97640AD18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:23.395{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB3EB8C6D06B10A59689B29E1FE02EE,SHA256=95070C2D8EDF9036E9A6CBFAAFF3E4A70A16733817600056DC459875BF73BCB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451107Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:21.615{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54413-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451109Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:24.995{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EF44B18A2DDBE4D295C2E626F7D59F,SHA256=3E201205D9B7CBF3CE3EDA6ED84D7FEF7EDFAC8AB64B834D69BA8464A7EF3ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:24.395{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066784470946384A7D4F70E90551601E,SHA256=F5C1D351BDFC8A011AF716BA1F54577AF0C9B43029E559C9DB783ED2DCD99C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:25.395{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A863ACE93CBA9C5336B1A39E1A155889,SHA256=D61775EE80BC90651DBD4799A845C5BB6E3D56C1BA3EDF94DEF3E208D2FC52A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:26.395{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697CC48CDDBEA8E1193CE6A6AD1929DC,SHA256=D23637C735BA1DD1B521A3A243CA719AFBE74FD8B6AE64E5508E86855510FCC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451110Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:26.011{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC8983725A4C2C155DD1A45CA37424E,SHA256=543E93068D221743F705F5BDE45FE9B05F785F01851C5F0252F8D6B2416E8FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:26.285{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=490090DCA3B571D4DC5D1865A8E593ED,SHA256=467E58728B5B937529AECFAD53FF5AD91DAE4E83057F1C9CA60421AF706289E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:27.395{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0F17CB2324A1E9E2F8FE0B0F417797,SHA256=9763E65118CC4D573572A8C6753FAB001CE8128D8ACDA8FF6A9BCD5766ED5654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451111Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:27.025{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADFC26D997D0344AA0B931C5EDE232F,SHA256=C7354417CFA45604CC0AB08B885B702944A6A26BD34817BC99F9A10EAAC1E620,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:26.322{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53787-false10.0.1.12-8000- 23542300x8000000000000000396208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:28.395{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC8C6F3107D7A01E1D47B60D95BDEA3,SHA256=FEDA239BC517D11219C1852A1C269585604BD9CF6B9A359EB4146C322A75905B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451112Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:28.034{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253294BC2D01AE71900A21F7030BD41F,SHA256=A462EE9BF8F05B7A14C57138C8E34F497F4F03033D549F5841BF08E42BAA2A8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:28.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:28.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:28.238{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000396210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:29.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6461B2482DB9FC835E88EAFB005E4F88,SHA256=7FFD1848466248F988E195215F7A0C59241856223431D67CED0F995E863C9508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451113Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:29.049{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977158A69E58A3518EBA53AACB808EA2,SHA256=8686D6C37EBBBC8DD12D472704FA2548C1432ED8A645737BDACF20D534C66B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:30.942{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:30.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE193B6C463692BEAC26384D74BC646A,SHA256=9E5CFA92A93101FF921BA2062A3A925186DCED7FE6D4C18FAA1490B86A1F5818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451116Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:30.263{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451115Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:27.602{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54414-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451114Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:30.063{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA050F1A24063C3AA0E8AF6B0BECAC8,SHA256=45A3C33C2604E118FF2D6D414D7BE4CC38A71958B6A581F9C5E26C4F1B172DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:31.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D37040B4A0D16CD7123B98CDBDBBB8,SHA256=A6395BCF23402FA095B216C015F64F35D0EED186384E881F26E62F7E492CBC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451117Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:31.096{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441CB3D88BAA8306D2627E83D081B459,SHA256=FC519701C76648DB9276BC99E8F3DC928FC2EC14AF118ADFE3E29245B021FF2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396214Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:32.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780FCCDE4C4AD8E60C0DE69F922E6B7E,SHA256=C9D19CD2B7C5AB739D02CB938D3FCD90366BFEFE1806BC278506DF3AE8BD7204,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451119Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:29.700{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54415-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001451118Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:32.114{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD9AD6B4F5791B9CED6258B7E52E072,SHA256=2A018399B942C164DAD6CE07F14341D2A5DEBB1FB11AC5EE12EA9BD93A2A3E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396216Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:33.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DD1E47BE9DAEF699232E3FE06F1081,SHA256=74A91E669EE4BEDED145561F8D126C9F25F473F59F284571AEE81173088F4EB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396215Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:31.119{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53788-false10.0.1.12-8089- 23542300x80000000000000001451121Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:33.859{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A143D40899D9F3E4E692EF15C9F2ECD8,SHA256=41BA1BB70735696B6AE2971E53BF3E9C722D1E1CDE43739C88C051CC0FD10A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451120Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:33.129{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6860902969427BE99387BD7DE8F371A6,SHA256=B7ECDFAF4A9322EF6A5C90C0D6A1AA0CE829C9970210438D1D671D1A18ABCD6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.582{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-066E-60E3-370A-00000000D401}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.582{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.582{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.582{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.582{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.582{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.582{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.582{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396223Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.582{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396222Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.582{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396221Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.582{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-066E-60E3-370A-00000000D401}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396220Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.582{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-066E-60E3-370A-00000000D401}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396219Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.583{7F1C7D0B-066E-60E3-370A-00000000D401}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396218Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:34.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4582E4677BEC93048773DB4661C058B0,SHA256=D4242961AC59ED7DCD6EF952426E50B2AA5274F522C474B4373B0DA6890E2BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451122Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:34.143{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CC8E84EA279BA55522A2E4D6941F3F,SHA256=DBD0BD1DEA5194007BE0C9703DFF20CC7FD4D9A920E17A8B68828E2F726FB978,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396217Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:31.337{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53789-false10.0.1.12-8000- 10341000x8000000000000000396261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.645{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-066F-60E3-390A-00000000D401}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.645{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.645{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.645{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.645{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.645{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.645{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.645{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.645{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.645{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.645{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-066F-60E3-390A-00000000D401}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.645{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-066F-60E3-390A-00000000D401}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.646{7F1C7D0B-066F-60E3-390A-00000000D401}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.613{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1C44955C26B5E300529951B0388F8EB,SHA256=449030FC6DA7B7A80AB396CC1382A099C6C7EC16B4321930BA761BD376C333EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.613{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75A0FC3F0EAE34F723D26ED11D6DD4F8,SHA256=6C7AC4B187225D952EF54625B59F85A7AA3DDB50C1EF7F35D837DF490A5FBA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.551{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0435BCCC38CEA2556BE996E28772DE,SHA256=361A51961171DEE864E7DC31599012AF373040632E0DE94FBD7F548262AC7D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451123Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:35.158{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4DBBF848F948E5C312B671DF91E7623,SHA256=6AF43F9587006C7D979743894F64EE01BE61FEDA207AB54109379E81E398C647,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.254{7F1C7D0B-066F-60E3-380A-00000000D401}40843200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.082{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-066F-60E3-380A-00000000D401}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.082{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-066F-60E3-380A-00000000D401}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.082{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-066F-60E3-380A-00000000D401}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:35.083{7F1C7D0B-066F-60E3-380A-00000000D401}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:36.801{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1C44955C26B5E300529951B0388F8EB,SHA256=449030FC6DA7B7A80AB396CC1382A099C6C7EC16B4321930BA761BD376C333EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:36.645{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7231693EF834A6118CB4DC4F835AE72,SHA256=9A727CD71A72DCD54C0F7A79027CBA7FE895E39F2399A1C35F2BE34C5A8ED602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451125Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:36.172{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25B214AE2CAA4614DAE048466E86680,SHA256=9CEDADE263D7A9FEF67570B98B275C875AD51F700ABFEA274AA967496E2B0767,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451124Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:33.581{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54416-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000396264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:37.676{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD6A50B30160EF43D2A945FDC8A14D6,SHA256=448003213AA94DED5B83FEDF91FA751B28C40BDD25755C3F6A11A2A53E90FAA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451126Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:37.190{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B0B561475C3102880126263202B9FA,SHA256=463FCFCEBF023644463D7CF7541063E75FC1F4CF09B5233F3BA180527E872749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:38.676{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85EBE67335E5BBD5BDD4485734899FE,SHA256=AD53AED218A6DC576D079B67F17BCF3FBFE59F318F68658AEFB72F41359D4CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451127Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:38.208{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69602CC8FFFB0A202440716C6E63B3E,SHA256=4AF08AD1D36A1AF5A09F754D998B591EB2F2DB121E5035408CD18240E8C2FCB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:37.322{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53790-false10.0.1.12-8000- 10341000x8000000000000000396294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.707{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0673-60E3-3B0A-00000000D401}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.707{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.707{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.707{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.707{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.707{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.707{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.707{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.707{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.707{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0673-60E3-3B0A-00000000D401}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.707{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.707{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0673-60E3-3B0A-00000000D401}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.709{7F1C7D0B-0673-60E3-3B0A-00000000D401}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.692{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B064AEECC3EB5CB031038013318CAEC,SHA256=50433B456704F797F4A024A43BC99D6FDB0536CEBC92525F09F106D13F354CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451128Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:39.222{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C226D7F072D04C64702E3D29F0A8A5BB,SHA256=B7E5C5E912F059738B61943E23454F17F53E396B220BA97E4DDB9FE99FE45027,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.238{7F1C7D0B-0673-60E3-3A0A-00000000D401}24164028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.082{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0673-60E3-3A0A-00000000D401}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.082{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.082{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0673-60E3-3A0A-00000000D401}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.082{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0673-60E3-3A0A-00000000D401}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:39.083{7F1C7D0B-0673-60E3-3A0A-00000000D401}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396324Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.957{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E70007C31F7C27E989C49FADCA8A88,SHA256=776540F743D963140B09279CE75A735D381A6A2DDAEC381ECC0E5FAAF4FF4ED7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396323Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.895{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0674-60E3-3D0A-00000000D401}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396322Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.895{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396321Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.895{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396320Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.895{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396319Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.895{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.895{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.895{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.895{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396315Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.895{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.895{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.895{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0674-60E3-3D0A-00000000D401}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.895{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0674-60E3-3D0A-00000000D401}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.895{7F1C7D0B-0674-60E3-3D0A-00000000D401}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451129Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:40.268{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5AAC79A2F7BCDA7A8CFAFFD4A5C4FD8,SHA256=D320F4CD5B654E6CB93D2403D39F8594F45AAE0BD647880C9B5BB798AF825134,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.410{7F1C7D0B-0674-60E3-3C0A-00000000D401}20923264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000396309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.238{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75B1119D28DEEE4472338D6316044541,SHA256=46A5C192837DE624DA243A29CA256913F760859A6AC2E8F9627EEE2B2F879E14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.223{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0674-60E3-3C0A-00000000D401}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.223{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.223{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.223{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.223{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.223{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.223{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.223{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.223{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.223{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.223{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0674-60E3-3C0A-00000000D401}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.223{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0674-60E3-3C0A-00000000D401}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.224{7F1C7D0B-0674-60E3-3C0A-00000000D401}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000396295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:40.004{7F1C7D0B-0673-60E3-3B0A-00000000D401}27722728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000396326Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:41.957{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6803EC0686ECAA33F7532918F25C7C4,SHA256=B8AFFD3279080B77369C0A4827469148F6D5C3124714D4A7A9BAB168C5F719FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396325Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:41.957{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98AE5D740BC23AE27D590FEFD9C9BDB1,SHA256=55DF82E00F8FEA177288D38919628B47227A606DFF6CF03512A3EA2CBDD57ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451131Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:41.286{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86562859A22834EA3357B62FFEA029EF,SHA256=58824CBC798227B6987226C0DAE123E280D837DC80B7BBC7356CF320A00A2FD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451130Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:39.574{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54417-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451132Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:42.305{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=082FDAA2674D7866562AADA22C83FEEC,SHA256=253A3ABD317DA28778D86A2A333A4027AFAB02D0302AF86C6508F1FF8E984580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451133Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:43.320{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D9F8AC24DD6E77F7C9ADA85F94EB49,SHA256=24DAB966A9EDEDF40B8FFC3727EB396D3C82E2FE6CF82890E4CBD348AA31CD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396327Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:43.004{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5A99447985121A423EB01887DD5CC6,SHA256=CAA83A992A33F35B46F7393BD7EF826BFD785C67E2E9B1A2E26CB0AC5AD4C6F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451134Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:44.351{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6F6166C0742FA0F82B7AF2B2380FCC,SHA256=E22AABA2034B37A043C068C522CF68BED344359ED4306973EB44E0AA9A473A5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:42.322{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53791-false10.0.1.12-8000- 23542300x8000000000000000396328Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:44.176{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7047A360FA4ADB987E9F396A2B66D5B7,SHA256=EC4F6445709B53F135E7C8DF54DAEB903AC2A66E7AD10E7FBADF182E2122CC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451135Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:45.402{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDF09A976E3538800866EFB1F4FD33B,SHA256=914FEC16EBF4BF1350D4552637C6CBD5AA4CF0C4473A3FB9C24C7AFA4708DB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:45.192{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEEA15CEFCEC2C020D043F5BE58417CF,SHA256=2A6341935DDDFB97EB127CCC849C5D4C1B6D3A9839501E9D7B7EBB050E63C293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:46.238{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C232D127D787C309D88725623E4177,SHA256=C01DBCAB7B1CF47124A4B556B3238DF4F08905A92D5F0EA6467BF70234D8975A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451136Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:46.417{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6634183F771718CECE6AAE903BFEE64D,SHA256=E2C81EF369DC7E22E7DACF236F4E19D8DAB8A38342A97271D13AD2B2A5E2E10C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451138Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:45.617{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54418-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451137Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:47.431{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA513412C537E2BEC3E5BF47D7FC7D7F,SHA256=C17F12200CFF81BBD68B10E09390E1C2F102C9B2FF133FA8B7B11551C90516E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:47.285{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0C1DC953FBAD7854CC93EB698AAFCA,SHA256=8F9C16491DB451FD352512D363445D25B5D8F1AD3AC865F9DE593BAC1A579DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:48.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA206C52A557FC43FF52DF57C28F9DD0,SHA256=BBEBE3DD9473336538964108E830F43D985A94667200D30087C66E4B7AFF11FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451139Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:48.446{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3334D75C3F07054C51C412AB6F80AC,SHA256=DDD506C3BC31A991B20A475D4FF5DB2D5B7011C0C1840C787D7E2C2C34EF7D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396334Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:49.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA8C18B40A8112DC3CC95A53D5226E3,SHA256=D35021505BD00B7B89FC4F7ACD427A70F18DB111B0EB24A2764A76607CED56ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451140Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:49.461{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DDEF194A2F311A49DC77E56ECF2532,SHA256=33BAA261A7FA1D5E6C3E31B42F33F3B4A71C9F0A25A746002004D997E94ED31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396336Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:50.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B33763E173A8260218226C453FC60A3,SHA256=2F82E6792ED94A76E3470F2BB6CB46540D2810C03B9AA4ADB370209D65BB08B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451146Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:48.271{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-201.attackrange.local138netbios-dgm 354300x80000000000000001451145Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:48.271{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-201.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x80000000000000001451144Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:50.480{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF6AA9FEDCC2767FB23363348E2A4A0,SHA256=D33111CD963F8F2B879A287EDAE338EAC5BF4FA19465F4CC3956EFE148C59F8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396335Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:47.323{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53792-false10.0.1.12-8000- 10341000x80000000000000001451143Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:50.397{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451142Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:50.397{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451141Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:50.397{D694AEB8-B3EA-60E2-0C00-00000000D301}8607040C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451147Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:51.496{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A673CD2DCC1816332C525DA2AF1EB2DB,SHA256=F736BD5A74D7A7CEBCBB703F2860D03C6180B8CB2013712F910F0CB7E3374458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396337Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:51.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C34ECF048187ECA1A81BCA7F6BA200,SHA256=D02772912836A990E6C1E411C42DD38AA9078F936750887D794B463C62F6E3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451148Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:52.526{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035B0E183475AF507CB5CD46F507D8C4,SHA256=123767495853A7E71F544E1521D2F7B1CD34A64E02C706CB72BD0ECA4F9E6552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396338Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:52.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4FA7C9999B652DDF750303B30BDE83,SHA256=DC5B44D60C4A613293C4900099D6E8168BFF9896877A81871CC8DC362F53EDAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396339Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:53.410{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D39410ED5B6EC694C552CEDAEE2A7ED,SHA256=62FD305D1BE28AC09DB38B803FD68C61B38EAA3890714034DE336D2A2A244695,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451150Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:51.595{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54419-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451149Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:53.556{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E99C1ACB9B26C59D9D4CA4C259139FD,SHA256=3D2747D036CF03B2491B2B2D2D1FD87E28277B1759572F4246199684FA5E3B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396340Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:54.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2FB96D47CC99E6ACFC16EE4EB87C55B,SHA256=4EC409E61A122D8F3547719FB0BD6D6B6CD1C06B39CA436020780A7BDCD592F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451151Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:54.574{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0888E31DF8AE8179B3A12AC9D2876379,SHA256=F0BFB541E625BE4331F3777E124DFFC0FA07E5CE1E8F76AC5DF96B723CA43BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451152Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:55.591{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0F2DEB49D3453B8792235A54D45713,SHA256=25AA98B3DFFC394889F34C116B6CCC36294E094BA81A1946286A30CC6EF2C787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396342Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:55.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3431BF5F949FA87B1F3E9B2C914503D8,SHA256=9AC9A1275280D7A93F6F3A9EB08C1390DD4D4B3FB9FC6A99F1FCD03757355085,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396341Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:53.307{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53793-false10.0.1.12-8000- 23542300x80000000000000001451153Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:56.606{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73529E105905C3B500DC8C839F0905B,SHA256=3BE1798A12181250560CCA975B8B0AB5CACD273871E6D65BEC74A7F49D2BF8BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396345Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:56.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6903A0DD7CCB01398272D8018A0CED9C,SHA256=2FDDAFA84FF45E933EDF16A17029E5FAEB8DDC4FD488227063E4EEBEA21F00AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396344Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:56.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=572CD94E0A6319328DD6A40DE1460F66,SHA256=840B3B1C94D4C8E683C2DA64D6306CE939D8CD9A47F8E180A60FB0CEB77405D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396343Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:56.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCEE152F22B1806839DB720E118680C,SHA256=FE4BE076380AEF5C4AD79F46F38918DBAD27F666DF398BA1CDF056EA68AD7392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451154Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:57.607{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F1F789ED9BABC29BE63D02791C2E0C,SHA256=399941B570BAB94262E264F0B765690484E1DAFC6347282BB487CBFDAF58D673,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396347Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:55.029{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-50645-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000396346Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:57.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74221563F219A56AB19CA84910D0EAD1,SHA256=4D8B595CF08FF45CBB3450E2CE247D6A0925ADA4234065E52F4AC55038F46C76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396348Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:58.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C08D6FADC6472E930B55B67AA7FBD6,SHA256=BA1F769BC4A32269F9940AF54E3B332133F6F88E996AEA277261402D423B863E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451155Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:58.622{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BCB883B928D96531293AC99AA76809A,SHA256=3724ED98B13F5B530FFF2AF7197863C499A85B2CEBEE63D70E92A3F0F6AF73D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451174Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.921{D694AEB8-0687-60E3-C90A-00000000D301}53562192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451173Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.705{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0687-60E3-C90A-00000000D301}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451172Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.705{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451171Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.705{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451170Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.705{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451169Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.705{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451168Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.705{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0687-60E3-C90A-00000000D301}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451167Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.705{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0687-60E3-C90A-00000000D301}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451166Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.707{D694AEB8-0687-60E3-C90A-00000000D301}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451165Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.652{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE0367236AD107FCD96790BEC263EFD,SHA256=0D49BACE132CD83DDE2664CD7E4278C270A53B262664B3C2972BA8EDB52BE4C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396349Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:59.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A0F6F7A8ED4BEAA74C922F30878A6C,SHA256=3BFA343C1AA4125CF32D3266EA1814F20C6F7A5A99012FDD62EAD035F1189505,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451164Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:57.622{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54420-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001451163Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.073{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0687-60E3-C80A-00000000D301}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451162Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.071{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451161Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.071{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451160Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.071{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451159Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.071{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451158Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.070{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0687-60E3-C80A-00000000D301}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451157Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.070{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0687-60E3-C80A-00000000D301}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451156Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:17:59.069{D694AEB8-0687-60E3-C80A-00000000D301}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451185Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:00.673{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C45B169EF48FBF6E1EA5383D43839DE,SHA256=E629E22F7FBD79B2D64B636769FFBFEF4B311E426E341D4926F5258D78CFE0A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396350Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:00.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A0258B43B57FF5B4F3E2DA9690C9C1,SHA256=B56586AAB39765479BC52AA21CAAA418F9E06BB6ECCCA1EC21746F7AFFF2C694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451184Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:00.320{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0688-60E3-CA0A-00000000D301}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451183Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:00.320{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451182Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:00.320{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451181Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:00.320{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451180Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:00.320{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451179Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:00.320{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0688-60E3-CA0A-00000000D301}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451178Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:00.320{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0688-60E3-CA0A-00000000D301}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451177Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:00.321{D694AEB8-0688-60E3-CA0A-00000000D301}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451176Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:00.105{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D25EDB1AFF03B0F6D50E8F933821DF7E,SHA256=B04CC2A898BB3FEDE38A4AC99D38686FEF88799D370A388B7FCF0DFE57CF3B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451175Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:00.105{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F78BD9BC853494A31E49C9E5100ED8B8,SHA256=BDDBAF6CDB7018F79C8B90D1BAD37054F839070414E193CC104F283AC0D9B319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451188Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:01.918{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\aborted-session-pingMD5=C348FB1F4BCCE389985E70E325B2CF7E,SHA256=675284360669CF5AD1E7F2E43A278328228F1D8396A9FC18CBA554FAE8870D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451187Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:01.687{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19E78315B967EBC1442947507AE6195,SHA256=31CFD50AEC0952786B87A94F4D9B56ED10FECBC6FA2D604D3B5A4EE5E20267D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396352Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:17:59.322{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53794-false10.0.1.12-8000- 23542300x8000000000000000396351Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:01.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6827D877B09778D03A1040025CD17F33,SHA256=EC1F774F00B528D4823C92D24801AEDEEB3EA5D4A546DC3246114CAFB45E80AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451186Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:01.369{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D25EDB1AFF03B0F6D50E8F933821DF7E,SHA256=B04CC2A898BB3FEDE38A4AC99D38686FEF88799D370A388B7FCF0DFE57CF3B6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451197Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:02.886{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-068A-60E3-CB0A-00000000D301}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451196Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:02.886{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451195Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:02.886{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451194Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:02.886{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451193Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:02.886{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451192Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:02.886{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-068A-60E3-CB0A-00000000D301}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451191Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:02.886{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-068A-60E3-CB0A-00000000D301}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451190Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:02.887{D694AEB8-068A-60E3-CB0A-00000000D301}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451189Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:02.702{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2607008A40BE3A58E259DB9FEEB5F222,SHA256=F723F3062E385D8A5D964565DF52F176A8D7B7B5DA8059E01F6D20A26F0A111B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396353Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:02.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6959901A8CE01B9AEF0F648DD6E1984,SHA256=1979E2004447D94A55087BDF3E56B24722845CB63C81B94300E65682F8D40121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451215Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.932{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8479051ABF85BE591CBDB50A5870559C,SHA256=B62075466F36375000794AA4E5459008990D4FBD151D9A4E06CC776CAAB5B7A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451214Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:01.688{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local54421-false54.184.190.181ec2-54-184-190-181.us-west-2.compute.amazonaws.com443https 354300x80000000000000001451213Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:01.549{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56771- 354300x80000000000000001451212Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:01.549{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60464- 354300x80000000000000001451211Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:01.546{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-201.attackrange.local51715-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001451210Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:01.546{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62212- 354300x80000000000000001451209Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:01.546{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62212-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domain 23542300x80000000000000001451208Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.732{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE870E3D66425A8C250E69CA80D53C5,SHA256=62AD4FCD110C8E471A9B99D38137EC1D64FCE861B471088D20CD7FB1B34D5A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396354Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:03.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1B64916EFEEA485F6BB882DD374875,SHA256=C25F346460C3D0A755AA38D60362894FC1EAF2D16C15F7D23E5A169CE73FD968,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451207Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.685{D694AEB8-068B-60E3-CC0A-00000000D301}53882180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451206Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.548{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-068B-60E3-CC0A-00000000D301}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451205Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.548{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451204Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.548{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451203Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.548{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451202Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.548{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451201Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.548{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-068B-60E3-CC0A-00000000D301}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451200Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.548{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-068B-60E3-CC0A-00000000D301}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451199Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.549{D694AEB8-068B-60E3-CC0A-00000000D301}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001451198Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.069{D694AEB8-068A-60E3-CB0A-00000000D301}26966084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451237Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.901{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-068C-60E3-CE0A-00000000D301}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451236Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.901{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451235Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.901{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451234Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.901{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451233Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.901{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451232Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.901{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-068C-60E3-CE0A-00000000D301}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451231Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.901{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-068C-60E3-CE0A-00000000D301}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451230Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.902{D694AEB8-068C-60E3-CE0A-00000000D301}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451229Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.769{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA145F29C28A8684C3AD7CD44C3967F0,SHA256=670E7985CBF26B547A4C7129564899FFE49C5A46EB1AB7CDDFEE9D0E5BFDCB0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396355Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:04.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999DD05E9B84865C2FD3D4B636AAC389,SHA256=BEB4415CA0FA17EF6FD8DBC3EBF2C7D92E93B261DE640375122469976F679DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451228Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.717{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=525F9F44B72D9BC8293E3731A8305EE1,SHA256=48406196098E667932BC4CA6F34852692FED751FE05252FD9B2B9E8509711862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451227Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.717{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=8EC2611825CF81A3289381EE89D2FD25,SHA256=6F8B935D3FD132731DA7C7D9B88723BFE4A6C262D4FA74516256124494C3DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451226Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.717{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=B35D0E9C8740BC29AE96D7FEC69BFC9C,SHA256=27DE630BBABBAAFC68009CD71C6E2C186B6786A228179B13F9E2878F2EEB7558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451225Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.717{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=17531B70B10DF938AA2DBE32E1F10049,SHA256=E4A9770DEF155D4080CA0B2D309FB2CE3B871F68B000E74C34C9AA28496CC7C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451224Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.717{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=D23DF94B4877FCA60F84DE7C5F0EA180,SHA256=1100860B95551F521A540D77894FAFECBB76729A0C1CA6D8C823447792FA1CCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451223Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.216{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-068C-60E3-CD0A-00000000D301}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451222Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.216{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451221Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.216{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451220Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.216{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451219Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.216{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451218Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.216{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-068C-60E3-CD0A-00000000D301}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451217Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.216{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-068C-60E3-CD0A-00000000D301}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451216Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:04.217{D694AEB8-068C-60E3-CD0A-00000000D301}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001451243Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.054{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local65298- 354300x80000000000000001451242Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:02.670{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54422-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451241Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:05.785{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA03BE0AB1E4F2C0005761804393326,SHA256=E30CE1C260E9DD36E895678AC3CC87731CE990926FB78499958DEE62A6B85B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396356Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:05.426{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308DF67B6A6DE691D7D02C0B20BEC19A,SHA256=B7F1CD219B923324D31DBB7A5BC770C03A5E0BBA9D9810EC6CE5DBCE8C47150A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451240Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:05.232{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40BBBAD0D9D5F9D3AF73508E35937C6E,SHA256=2D725E0D230AED2F0B9A0BC4818F97CB1ABF37A069F3B76BD7CA89F8624ACDFD,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001451239Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:02.092{D694AEB8-F83C-60E2-EF08-00000000D301}6572pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com052.13.236.190;52.43.155.197;44.239.250.14;52.88.2.59;35.160.191.122;35.167.137.152;52.12.55.135;54.184.190.181;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001451238Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:05.101{D694AEB8-068C-60E3-CE0A-00000000D301}64086620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001451246Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.216{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54423-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001451245Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:03.216{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54423-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001451244Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:06.799{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6413C58D2A1FF75DA1A074ADAEBE9D8D,SHA256=92E51C78D69C9045E6C71F6A25C535E47C7C995326A75BE0D3185D42D9A8537D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396357Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:06.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358C631C20752EF08C9B799BC83E0D8B,SHA256=AE802E69C1F407C660F60CBAAA64A8F62A963D71C555A385E59E6E951619DBBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451248Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:05.728{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-6377-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001451247Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:07.829{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF8C5174F14316487E83966A282294F,SHA256=841F56D8158B47DFCC70161B6E9765427DCD310BA2CDF92E5F928C5A06A1E3B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396359Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:07.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1EB51B5A4B595E0E9D0A2A00311EC8,SHA256=7E78A4CB888D3669AEE050B7F653F675AF94855F822C062EAF137B3326BF8916,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396358Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:05.307{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53795-false10.0.1.12-8000- 23542300x80000000000000001451250Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:08.844{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59912E47053B809127C807496668E12C,SHA256=BA60A43AA6B86425280B0443A5D7432CB88566A851152D9CF312A4B2C709F664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396360Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:08.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C8E74B0E0256029C5399C7D74E19B4,SHA256=172B048D1CD9109EDE3DDF73E779E6760C82BC56CCD82D896FC1813976286EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451249Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:08.363{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5206DC7C6663BF6D32223E4301930DC8,SHA256=58E59EF87FEB8FBCEA81814FDE4B81880FD5DFB7B135CB780FF2B658EE543B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451251Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:09.863{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2314EA34545CCB3511D6CAF80616C6FE,SHA256=9F47493428896A53DC5CFCA213315FEE5803A37A728F6682F91732EC2CF19F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396361Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:09.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A403C427B48518E4A26322B8A9FD02,SHA256=544A589EAAF3230706CE639B39F5F5340022A5EFC6DBB3A1F3CD8ACDF64DCBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451253Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:10.880{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC635D3D36D3E2101C6E69E871ACFD8,SHA256=09105550B55FF8BB97EE0439ABC0CB1F7B5A47685DC64DB0581FE59D4F9386F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396362Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:10.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343A8D805BBDFE76982F103924998AE0,SHA256=E7FB5E784B8EABB1A4E53709F535D01E8C82F042D8D3E76389E37C62C22BE0E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451252Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:08.666{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54424-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451254Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:11.894{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4AD9DAE9E71D8A7E210DFE011CC270,SHA256=6156875D06A646C4DBCD0C6392C40037FF386A71F67445D011782651D4D79AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396363Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:11.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547DDD08CB88974BDA0FFC650055AED3,SHA256=615E6E1C755553C5EC55DDACAE51AA6022F21CCC0497A5330C10DF810B3E1956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451255Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:12.909{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2FC42BFD270A6C22963EE29604CAE4,SHA256=9FDECFC8827A6B53F68AEEA9F15C22335AD64856EBF2A61B001B60C1B42F390B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396364Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:12.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305AB8CC19B79F3F69FC4B9137404FF0,SHA256=40C71DF8E0EEED745734652D711335160DC40C73949B46C261822DBE6FF92BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451256Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:13.939{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DC4921581850B4569F23163EB6DC03,SHA256=8F84D9AAB4DECB7205E1B9904C6F3C6D389B4C17C339F490E630A30BEAA31BEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396366Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:11.291{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53796-false10.0.1.12-8000- 23542300x8000000000000000396365Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:13.442{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4006242E3291D7C4F0F18E744B9E88,SHA256=AD7E0FB68A898E289F207F0678A5ECEE49AE14D920A0DBC764EA6643332F41E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451262Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:14.957{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE2F79CA4FAD7AEF438F176CDC0D29B,SHA256=8E441AF81BA5F3EC66A0D88908285EDBD0592CA588462B99E93E3BA43AC1BC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396367Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:14.457{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCD8E3C1BD5D4F6B9C71213011812B9,SHA256=B8FD8910FD4952675E88FF3E45521EDCFDD330D534DB7718B7EC037A2260B804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451261Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:14.738{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=398B425F5C946411F1E06675B2428378,SHA256=988750CC61657590506461DF4F9DC74E8F810C8E1B8CBAC19E94533A91EA2A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451260Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:14.738{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=064715C8F472CCED6C102855076C769A,SHA256=0FADF2175CCF99B4AB9AA5D995F0977E813E5BEB5E62B91DDA59E9A0900B9A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451259Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:14.738{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=96A0C3FA06DC5A7E1CA78D9FA2A9072B,SHA256=FF6CDE1F46B68DC4F1EDF7B9D036AF639B8DC2D6123C2F06B1AEBACC7342434B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451258Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:14.738{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=714E5A70570E4C74DDBDC463E241AD25,SHA256=D19611280AB20E16ED3356C764DFB2D8FB15D00A8F8C8F1BF43F33B17053FDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451257Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:14.738{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=45D0E8B8748540C8DAD06C4D8BB93157,SHA256=87133EF0C8E4BF5C042347B07AD43267CE092D163438F3266B24FCEC2BB0535A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451263Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:15.974{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D37BEFF0BA5823AE4245279BCE759A8,SHA256=9AA119E6BCE186515A2BF9A0BE80991A94D5ED08FABD67DC9E2FF09C924E4E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396368Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:15.457{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2260E1711BA032EF1E8B48BA641D5FD0,SHA256=4BA2A6DE59BA88DD4F768E25134630D2F42B914F8D0CAC915DA448F3E3E381A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396369Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:16.457{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E38E27B843E6721A7EA1BCB1A0C4CD,SHA256=F761E9CE9CCB90D112DFB577409C8424D7E9BEA7EA5A5E41EE074EE570FBD4A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451264Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:14.690{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54425-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000396370Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:17.459{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9429A6DFEFBED653EC71588DA856BC0D,SHA256=31011439CF08B114097A69DFE73B33F7A6A59CBD847631B1157EC95855810358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451265Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:17.005{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2B881B878F9CB7C2ED618BA7B07B5E,SHA256=B55C70EDE780C5798A96214CD9319867FD12EDD979B7BD346CC1A56B3F54FB4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396372Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:17.260{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53797-false10.0.1.12-8000- 23542300x8000000000000000396371Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:18.473{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5523CE11732DF7D0130477DEBB9D9855,SHA256=4CFF64BEA0701893A7321CA96558F73883E0D492ACBD3D89C13043DCB06A9C6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451266Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:18.119{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63521C2FDF4BEA5AA30CBA361BDFD7AE,SHA256=2F9B3F3D244D19602AA1532F6F36C65DB50A63B24DBFA45F6E0E78115D8CC955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396373Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:19.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F4241A7428D001F354F8A54FFA3351,SHA256=449F3BED4B09DF298422C549917DA34DDF6106581E70A3B32842CA6D02537D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451267Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:19.186{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD72C501FBA545DF921EE058D4A1859F,SHA256=3787EA599A609AB8F237AC54F843D1A4A71F797E03114A03D2E01818B019C333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396374Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:20.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255FCE4B5AA01CF8F4AF137A9980652F,SHA256=CDA6DCFD7E02384220B224CFE6F0FCE74E9E81F84B068D983E5910A4F010670D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451268Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:20.216{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E8E194120996A7A4D1512D59204854,SHA256=8D4791DF041E1016354A3D56136E354D39240D6F0415C7D50F40870081E66292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451269Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:21.249{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57F3040FBA0F06564C45F2C3CCC8F11,SHA256=07C4E0E0764DC5F8A3F3D27DA46A583B2EC280317C003DF00F178195102958B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396375Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:21.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9B022C61E87C0B98E9D7F510F6F1A8,SHA256=A5E2F88EE3D766086CA48C9B05B9D69192FA5CE3F1CA4EBB678C3882288AB8ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451270Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:22.283{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13207D0D76837F7E46D1142A9B93146,SHA256=42CED98639E46CBDAF64FF03C5589889EA5A7B7C67102FB32737BC179FE56198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396376Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:22.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA348A201A840B24371BBBE3A9C954DE,SHA256=79454DFF4DDC3495BE7A4426F4A7F63DBBAB3EAA1404CDA55C8BD3D1D31684DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396377Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:23.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3191CE54B39EB19AAD346D92C83C04,SHA256=7601BFCD9FA357E5EE80022C6EF3AB013BC63F9C7269FDD818FDD63193F58C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451272Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:23.298{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF9DA5B1EC759D202220A86736E5DCC,SHA256=6984C167F098918CC9B1AFBE5D7E278AF9376EFDE64745A890B72BC23086426A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451271Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:20.699{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54426-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000396379Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:22.450{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53798-false10.0.1.12-8000- 23542300x8000000000000000396378Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:24.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F816B528FA37D3DBC0429677D984AF,SHA256=8F602F12283DD1F1F049426318C7A1BB684DBDF2B644F0D9DDCD540ABD6ED555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451273Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:24.313{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FB7D449EFA0E08F4ED3DC0FDA2B78D,SHA256=48974C6489E9A1B50D0971B6F015ACB47877D19AF48C8DA41E492058F63379A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451274Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:25.328{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9343C6F8CC61538998E505C5E628CD54,SHA256=75AB82AB02D23017AA3402C4E6DD98E25B3DFA3FCA639426B7EF19AAA7FF38FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396380Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:25.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1688F057B06AFFD24EC53ED24B5F0272,SHA256=375BC02A75232A74266F92C43CCF41EFF5C9B6A110E810E0D7648A1E825FA3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451275Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:26.379{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F480F0964B2FE911F62DFBB108C5BEB,SHA256=A3F9D727CB2D1007A3A9EC10CD2B383F3F321AE293A35131F011666343DAF00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396382Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:26.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265C900FBCFEA9040AEB0152B3A48653,SHA256=2E00F1FE0D800C5E49B8A207016DB13A5198490FA819CAC1E76C7675C71C729F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396381Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:26.288{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B05235EEF9288984FBAB326B0E0F392E,SHA256=BBF6239B012E31302AA83B8E7F4B3200C165E7AA78DC6DAC6700468B1C303053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451276Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:27.410{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3345FA4B21CFDFD952E7FCC055402CD,SHA256=7CB685929EAA030DE6D825DD3B53D79C6C83640B27A25227F84C541F65FBDD2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396383Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:27.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C82E8137A5DAEF333BEFBAF28F1E88,SHA256=6A275DEDBCD60B8DE1B49A1412F15173931229DF5FA804C8BEDDE8CA3DBD8A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451278Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:28.442{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99D27415FFCCAACFDA490344A3AFCB9,SHA256=A00BBCAF2978D79FBC8A1CF01C862661C10026A205BE7246D07B466A27E5A2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396384Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:28.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AC370F9DF6288F2DACE78D02F6AE8B,SHA256=4154CCF7F7F51D2CB167D4631CE78F866111A257B0DF526276705BF66F345C3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451277Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:26.694{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000396385Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:29.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9AC76CEDAD3628E3E80A5ECA4BA7546,SHA256=E1E057F2E556F854189E1F117A027653C1635657988B7228D51E15A99B219D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451279Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:29.460{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595201410F12F703AC05C26B2B7A2BC9,SHA256=F3E91335CF8F2B18B92AD5ACB11FF2004AE0414F8512F465793F08ADA78F0B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396388Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:30.960{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396387Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:30.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6925E470EE3D5D98F7587E2EA3172E8,SHA256=1074289949816842D37321CCBFAD7CD5FAE6EC265560BAA1D5988B9F6EF47607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451281Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:30.475{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4020A3BFCBCA75560391D18E047B1206,SHA256=23F6A4FDCC3293401C81DF78DD194AA571BF4C234AD822FF2E3CE2064A10A2F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396386Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:28.435{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53799-false10.0.1.12-8000- 23542300x80000000000000001451280Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:30.275{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396389Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:31.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2782E362CD330DAB2E3E533842D3669,SHA256=55A334B21EDC4EDF7077E668F9EA029ED87B531D81A78DDB7242C89E81B21681,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:29.728{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001451282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:31.489{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3EBDC0D26D021E143E393D57E85237,SHA256=E67F70B12B0B5FE29B6D48D2E60EA72BDD864B0C89D611A1B07F0D53B7A00A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:32.504{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6FAB4CBDFA9F021A2F63E27BF9D0E5,SHA256=D0346D1D172BAF767B72D3F77F38E15AE22DC3D1D1F73C09A63941DF9112509E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396390Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:32.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67280E5FD05846DD46D564E2EEEB31FE,SHA256=85B0B70CC2C8961103E63BD04BD9759A1B2FA55CDF278FFE4F75B9EC747EE4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396392Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:33.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D46131E5B2FA207706FFA62F5682B0,SHA256=7F7BD6714D808581D6D0862ECB5155A3EBD633B62082C49D7FFF26D5B08389D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:33.871{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CC2D2292D5714C5785388E86B04F2EA2,SHA256=4BE6E7FCAD2FEF7BDDFE2A61F1501A8E5EFF615C5049F6131A135A34524FB31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:33.539{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8E3636BB86F231F203F7626B75D672,SHA256=54A6092A6086179D3DF6618E9DAC3E8E57CF8F8FA022A8EE45465BDC36E63FCD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001451294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:18:33.356{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001451293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:18:33.356{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01434fb3) 13241300x80000000000000001451292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:18:33.356{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77197-0xdef384e9) 13241300x80000000000000001451291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:18:33.356{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a0-0x40b7ece9) 13241300x80000000000000001451290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:18:33.356{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a8-0xa27c54e9) 13241300x80000000000000001451289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:18:33.356{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001451288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:18:33.356{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01434fb3) 13241300x80000000000000001451287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:18:33.356{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77197-0xdef384e9) 13241300x80000000000000001451286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:18:33.356{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a0-0x40b7ece9) 13241300x80000000000000001451285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:18:33.356{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a8-0xa27c54e9) 354300x8000000000000000396391Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:31.138{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53800-false10.0.1.12-8089- 10341000x8000000000000000396407Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.882{7F1C7D0B-06AA-60E3-3E0A-00000000D401}23482560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396406Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396405Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396404Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.601{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06AA-60E3-3E0A-00000000D401}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396403Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396402Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396401Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396400Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396399Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396398Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396397Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396396Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.601{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-06AA-60E3-3E0A-00000000D401}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396395Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.601{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06AA-60E3-3E0A-00000000D401}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396394Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.601{7F1C7D0B-06AA-60E3-3E0A-00000000D401}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396393Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.476{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80F995268653AC93840F71D1C554DC0,SHA256=2702C7F6DE8DB7B78ED447B53A6257754408F01DF744991FD80E4C5E0B9873D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:32.708{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54429-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:34.571{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72A94BCC2CE85948205EFEC298F2116,SHA256=28B4CBD9DA425669400BB5DE82E15FEC47D7902582A001A2B7EAFA220F480B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396436Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.819{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A1BD5016BE117CC872E419775CA786A,SHA256=E2CB817C82D8230A6A87D689479FFFED74B7F38CD34AEDA5FC77FD5C748FD2DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396435Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.819{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6903A0DD7CCB01398272D8018A0CED9C,SHA256=2FDDAFA84FF45E933EDF16A17029E5FAEB8DDC4FD488227063E4EEBEA21F00AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396434Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.819{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=868BC19B1A02C06787A83AFF9F318500,SHA256=D78750DDE163D006BD29B431681EA995A5CEC7EA91924A3E527F546504CC43D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396433Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.601{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06AB-60E3-400A-00000000D401}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396432Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396431Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396430Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396429Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396428Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396427Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396426Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396425Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396424Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396423Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.601{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-06AB-60E3-400A-00000000D401}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396422Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.601{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06AB-60E3-400A-00000000D401}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396421Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.602{7F1C7D0B-06AB-60E3-400A-00000000D401}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:35.585{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0812A2FDB82C90E21792C5B241FB171,SHA256=A76C636943CDC11BA31CC8C9D6774CA34E7A9309B27A5A0883835C16744E3399,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396420Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.101{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06AB-60E3-3F0A-00000000D401}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396419Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396418Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396417Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396416Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396415Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396414Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396413Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396412Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396411Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396410Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.101{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-06AB-60E3-3F0A-00000000D401}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396409Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.101{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06AB-60E3-3F0A-00000000D401}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396408Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:35.102{7F1C7D0B-06AB-60E3-3F0A-00000000D401}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396438Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:36.663{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34FC026890FB0DF005AF24578A46109,SHA256=D8A61CEEA2F7C4E2A7F1C7A10C80719299A9DD63A1DF7C4A11ADA04820EB7E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:36.600{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9F736E40BEB4EEA400A9CCEE61BFAA,SHA256=1EBF8A44210679E0FF77FA5E18761E22D16016EF8439D6629DDC5A58EB9EA755,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396437Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:34.388{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53801-false10.0.1.12-8000- 23542300x80000000000000001451301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:37.614{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36BB9162EF289C0CF470359A520C0E3E,SHA256=ED1D2A6725D13DA42D7440E3BA32E96B9BED292B8C7E44A6A6C4F8EDC00B75A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396439Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:37.663{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8722822261DB07F972F89C90B995AD2F,SHA256=ED71E3D33EED301F7EFD13EADCE958E1CC6ED8C79850F2AEB8C8AEA43450E2AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396440Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:38.679{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD85663F5AE73FFC1F448497C0586879,SHA256=809C9394AC44CC7240B24370836C967E33B5F0ADB6D0EEEF05E137DF99D7BEA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:38.630{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8667B4409428E57200D051E029550DEA,SHA256=E2FD34D280D680FBEFDA72E28B3B830CF3DCE8E0B282774F1CC6A161851D1326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396469Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.929{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF8E0D56AD688C2C3AA3F18D4BABD7F,SHA256=5B13CF24875C5B51103478D80B6F1638C4830D8EAADF95CCA531C4943FBB1056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:39.665{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD233C068FE3D4DA2EB588C136AF95C,SHA256=5B632F5DC3EDDB333CD760644668C0C0E0F8063A58DCDB77CB8E9580502B9CEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396468Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.804{7F1C7D0B-06AF-60E3-420A-00000000D401}3364616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396467Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.601{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06AF-60E3-420A-00000000D401}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396466Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396465Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396464Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396463Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396462Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396461Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396460Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396459Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396458Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.601{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-06AF-60E3-420A-00000000D401}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396457Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396456Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.601{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06AF-60E3-420A-00000000D401}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396455Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.602{7F1C7D0B-06AF-60E3-420A-00000000D401}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000396454Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.351{7F1C7D0B-06AF-60E3-410A-00000000D401}34443436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396453Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.101{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06AF-60E3-410A-00000000D401}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396452Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396451Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396450Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396449Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396448Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396447Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396446Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396445Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396444Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396443Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.101{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-06AF-60E3-410A-00000000D401}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396442Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.101{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06AF-60E3-410A-00000000D401}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396441Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:39.101{7F1C7D0B-06AF-60E3-410A-00000000D401}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396498Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.944{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D6E3305AF3F982283DEBFFB97ECA67,SHA256=696519D7E5436375570B5E2C6965416AFABA8ECBDA997B4EC596E86BABCF5911,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396497Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.944{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06B0-60E3-440A-00000000D401}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396496Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.944{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396495Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.944{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396494Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.944{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396493Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.944{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396492Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.944{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396491Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.944{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396490Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.944{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396489Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.944{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396488Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.944{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396487Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.944{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-06B0-60E3-440A-00000000D401}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396486Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.944{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06B0-60E3-440A-00000000D401}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396485Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.945{7F1C7D0B-06B0-60E3-440A-00000000D401}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001451305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:38.464{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54430-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:40.679{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B61016E1A1CE563BDFD6971DE3EFE53,SHA256=FA4DBB16BD1098AF32260BA30449BFFCFE29C76A477F634DF4C085E012369988,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396484Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.413{7F1C7D0B-06B0-60E3-430A-00000000D401}34044020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396483Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.272{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06B0-60E3-430A-00000000D401}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396482Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.272{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396481Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.272{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396480Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.272{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396479Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.272{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396478Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.272{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396477Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.272{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396476Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.272{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396475Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.272{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396474Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.272{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396473Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.272{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-06B0-60E3-430A-00000000D401}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396472Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.272{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06B0-60E3-430A-00000000D401}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396471Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.273{7F1C7D0B-06B0-60E3-430A-00000000D401}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396470Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.147{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A1BD5016BE117CC872E419775CA786A,SHA256=E2CB817C82D8230A6A87D689479FFFED74B7F38CD34AEDA5FC77FD5C748FD2DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:41.710{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E31030401A39A902939257A1F724C3,SHA256=41E7A0BE93E7E43B13361D7A76FAAC74C21BC816C9C6085D5D8F61664925BDFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396500Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:40.419{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53802-false10.0.1.12-8000- 23542300x8000000000000000396499Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:41.272{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=037797FC092D4D4628214EF27563816B,SHA256=72B8601385F34524A912F18FE68A8B73E1E1A7AB8EE054903D51F58F096C1572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:42.731{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D22FA3BF463DAD67098FF8E0DD3AD8F,SHA256=1ECC15576BBA68C1225518A312A8EBC5E82DA91C099AB7C99BC67F0E0A81D83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396501Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:42.179{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FB276E0A32E9E48255F0E6452A1983,SHA256=8B1AD45F2976D14C28FDAB155BC6130377EAEB07F9D9580335534ED3370811B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:43.761{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1917AFB9C0F0494AB1FDC0C7ACE7666B,SHA256=F3C108781B26071EE8F99C9B5B5B1D638E974B11C54994965EBFD5FE9253771E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396502Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:43.226{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4956900E2F8121DE559CAC6EB539A60,SHA256=41882C1C930CB965D39463407758FC42CCE9A2FEF714D70CCA5C7C12FFEF337B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:44.776{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF2A96884C7243505E5BAED3322B2ED,SHA256=0E6782206225A9A3A4B57967F4A65EBA46B9E6A739009F880FDCBFBCA4B972FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396503Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:44.241{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22252ACD72786314295A94573DD1F9EB,SHA256=0FB9B8AEA4CB5E2D55CE5A534E66C80B5593538C86E437CA5D37848D230B64A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:45.806{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B7C9C4412FA77AB886A22E3A142FC5,SHA256=F6BFEC9DF55443261826BA445AA35E6D4E2E61E311E8A4A90A11EDD24262E7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396504Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:45.257{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4190C7EA3C22ADF52A5E9E839BCEEB,SHA256=815D46D29BDEC94D8BCAE52E9BD87CEE68C018C9E5EF8EA69D29F7F47E8CDF24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:46.825{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8751F40113FF68EE1F4208761CF830F3,SHA256=B2A64F4A0CE1AC097BBB9D759EDFA083E2C9C70466D25740C4CA7E05CFB80ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396505Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:46.257{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61DF9A5ADB1FED2A45C9D2B4E5B5B1E,SHA256=FFFC60C70DDC48609F69F6CB0F623805F3349B446274952E1D5BD0A2AEFF090C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:43.579{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:47.858{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4B56E933B883212D6E7C36B0F007A1,SHA256=465513C11BE5C83EC1962DE97E86C51D3BDDCA49C05D7436378C63BABF389E84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396507Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:46.419{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53803-false10.0.1.12-8000- 23542300x8000000000000000396506Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:47.257{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB75A3B76F066F6F16EA177EBA7B5B6,SHA256=0068B68A639BB9483D9635108D65D9E22FD84728B1EA7703EB864BF3C3AAC9B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:48.872{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8C26A2DEF34CECB61ABD5EC5600419,SHA256=1CAE74A671C0308B14788298527C7C4B0CE4F12EF60F135D9A286EF5F65188E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396508Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:48.257{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0D746227A5D60358EC07A979FACD3D,SHA256=EAF5D8A340188A8EC8DA1F2F11FAD5C23BBC6248D6667458CCC0733A46D700DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:49.887{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F277D2E7F6E0F836E0D5C4D3E9E7C9,SHA256=A40E5ABDA2104B431E6885B2C5E8CB39DC0FCD11A0812695EE4B1DD63534ACB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396509Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:49.257{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F68343AE38858F9406EA1211D4D3F4B,SHA256=3A8B53717FE48258B9F13ECEEB5E368C2D060FA849036318505E9D4E60EB49C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:50.902{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8E638662AA61DAC37F14E05B812464,SHA256=13FC5C96F41108C0709831CBDE5AAF263F46EC6305DEBE3A8C794F570B34EDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396510Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:50.257{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D1E895A88A2E6BF96EDEFFC030A090,SHA256=8827BCB61A466B8593905DB36637F05D77CC45337B00E17DD76DCCF21D188325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:51.919{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890D29EE9CDD6A7BFB31112471A6C188,SHA256=5C3DAEA79CFB14F8A4A3BB87CFA3C513607C29AB91FEB83044BC56A7EA344836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396511Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:51.272{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A8B5B0D539F64DC1CDDBA27264E540,SHA256=185544BF2D6F6647EC2C9723689FB1DCFA97278F1F503A150AF510546A3682E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:52.937{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4515BBAF200B91D34B844D59F66D9D5,SHA256=21F6C6438CF4EEE1CE81A761EA46310E8BA9A36B13943BF0B4C77283F18D94DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396513Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:51.420{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53804-false10.0.1.12-8000- 23542300x8000000000000000396512Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:52.272{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179E842E43D123C5D223A8B037E5570B,SHA256=7BF9890CE92455FF9AA6D8D64FBD5FC4F5B18CE5012978033007CD000FEE1CFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:49.571{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54432-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:53.952{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE75FEE3E4966757743E805E9A0824F2,SHA256=7D78AD3C7FD828F6907F476C41C44B92CD98747581A0C557DDE911C95BBF4E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396514Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:53.304{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1E49755E7A0C300BAB8A33AD802403,SHA256=BA30D7976F3EE04BF9DE19A8E4A1ABC1485CE6D0186C9C681CF980D1CC67B142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:54.966{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC0333085DE7C04582B051F89524E75,SHA256=E787B564C01D7E56209EC9C37C3B6572936DB1D81296B1098CED7CA56DFCD5C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396515Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:54.304{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916B9DE3D30DFA6DD4D9655777E27825,SHA256=A50F28C1660A75BF09F7B5F4579C600E6F0D1AB9AE594E639101F701BCEBB966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:55.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5FD55D91925DC8347408757E07A629,SHA256=F241F54848243A2DD683E5BDB5E4995C7278016A0BCD87448A98B8ACF5B9F67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396519Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:55.944{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99E729C68E4AE1A022265BA5E46E0B0E,SHA256=C1C9EBE45F28423D1FAF48768CC5E50EDBAE63D3C9B36A443FF1BF383F34BDDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396518Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:55.944{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=376B2CECCD97E49F5B7445CAE4768E19,SHA256=EDE43741A402E8DDF5020A3C66BBC2E85941D66CCEC4E26C2DFB98ACC0332487,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396517Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:54.901{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-51335-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000396516Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:55.304{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88CE52045359C129BEFF2C4D5391B37,SHA256=CBDEB55D22D75E4B99B155B2BB2AD4FCE8CA20AE0EDC0B3B62CCAE920E0CDC38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:56.995{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEF6C3D57E7B63AA835D342A279C6108,SHA256=A4B02C78AC869872F46E9C3C486A8177CCFB726077F513F865789F1778BBBAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396520Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:56.397{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06E10F4EED5FA889A7FE8AE1F2965B0,SHA256=DA0C02AAB22565E81C395465D5B3A41789E54A93081A318FE001F278AE7D182B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:54.603{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54433-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000396521Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:57.460{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3BDD9E908F340E1E67FAB708E6CB04,SHA256=11D1A826D59744AA1838A12668EC78E0899768845BB97771232E46918D48BFAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396523Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:57.435{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53805-false10.0.1.12-8000- 23542300x8000000000000000396522Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:58.491{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E56FBA145F49FDCD516821438F0BBEA,SHA256=3F3A108428611367AB75E3F64D287ED2B5A3985C659AED9624F8CB3B5BAAE991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:58.047{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25539BDBAF3A771B5B8EBC998E87E4BF,SHA256=1884CADF7BE98220D86126AD4DDD5B2842E97EE9D68B280624325A97898E0058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396524Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:18:59.507{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C5056F6E72BE046CD8B2B964705E9C,SHA256=F79B055397DF89404172AAB525F5795C8509029A1419127E5556A63AB30A7374,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.811{D694AEB8-06C3-60E3-D00A-00000000D301}42004728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.646{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-06C3-60E3-D00A-00000000D301}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.646{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.646{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.646{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.646{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.646{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-06C3-60E3-D00A-00000000D301}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.646{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-06C3-60E3-D00A-00000000D301}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.648{D694AEB8-06C3-60E3-D00A-00000000D301}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001451334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.077{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-06C3-60E3-CF0A-00000000D301}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.077{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.077{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.077{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.077{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.077{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-06C3-60E3-CF0A-00000000D301}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.077{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-06C3-60E3-CF0A-00000000D301}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.078{D694AEB8-06C3-60E3-CF0A-00000000D301}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.062{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077AC9CB49A706E97A560E6B32628201,SHA256=B0FDEE044D36F8945B86E7236A2722D0B32C699C4558543657436D1E3D41F3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396525Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:00.507{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526581529882F0DBDA23252614D96AE9,SHA256=BE02BC3867D219F05577D3A21025873AD231FF4F68ACE29D2EF1DB1A82F0926E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:00.246{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-06C4-60E3-D10A-00000000D301}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:00.246{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:00.246{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:00.246{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:00.246{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:00.246{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-06C4-60E3-D10A-00000000D301}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:00.246{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-06C4-60E3-D10A-00000000D301}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:00.247{D694AEB8-06C4-60E3-D10A-00000000D301}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:00.113{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E772FE8B3443C4361C37B4B267BD61F,SHA256=11161E4EE06832EC1C01A636F0085B01832C9B059A7B8E04F9494733F94D1C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:00.112{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E80BE11C3B4198C235C23174B926626,SHA256=5421D5AAAF08A14C003E1815FC3C19AAEE7909736D2587A404A0C9DA6D1E2AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:00.077{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E79AA27F091C9F4619D00467187D8DC,SHA256=8CFE1AE408035233D02B06D487DFA4369A7FD87A25BF9C94942626403A109DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396526Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:01.507{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CEBD61601E899106FDD32470E740D7,SHA256=CA71E6115F832AA845D6BDE7481ED6B0BE493983A343E009BE4A87864734E685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:01.276{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E772FE8B3443C4361C37B4B267BD61F,SHA256=11161E4EE06832EC1C01A636F0085B01832C9B059A7B8E04F9494733F94D1C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:01.092{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF685C80999023D534A38F47632889B,SHA256=5CAB4AD4EAC4B5EB0D623C25A5975DDDD93F28304C6823E307EC0C1064A090E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:02.890{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-06C6-60E3-D20A-00000000D301}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:02.890{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:02.890{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:02.890{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:02.890{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:02.890{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-06C6-60E3-D20A-00000000D301}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:02.890{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-06C6-60E3-D20A-00000000D301}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:02.891{D694AEB8-06C6-60E3-D20A-00000000D301}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001451358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:18:59.629{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54434-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:02.109{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30CEA7A2638270816BD90D48D703EA0,SHA256=14A031C398FF224B3879C7AE036D7E2A242069244C9420306D004308744F0F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396527Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:02.507{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D492C62E803731B316EF65B97B90DF,SHA256=B4B4267D88DDF956C954F368C0DE29B7D38E2086256099040A1E750CA4ABCD12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396528Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:03.522{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6E07894895FBD4E5A046DD1AB7005E,SHA256=CE6AF873E5EA5C0A6F90621DA3ED6B55E177948769D62133EB6D1F97F69D878D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:03.711{D694AEB8-06C7-60E3-D30A-00000000D301}62046816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:03.574{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-06C7-60E3-D30A-00000000D301}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:03.574{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:03.574{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:03.574{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:03.574{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:03.574{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-06C7-60E3-D30A-00000000D301}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:03.574{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-06C7-60E3-D30A-00000000D301}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:03.575{D694AEB8-06C7-60E3-D30A-00000000D301}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:03.127{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C32330089A5D5A07ED9F18E5334DBFB,SHA256=115AC88519B0E2CD52259C5877ABAE10E9B8C7D67E35EF152F9C6A58DD535C71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:03.059{D694AEB8-06C6-60E3-D20A-00000000D301}43764772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000396530Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:04.679{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD5687ECE9CAE95F01DCCC8B461C56E9,SHA256=B78DD8D4AD9321A34D7CEDC052752CD0D9251020A36A385FD0BB48E106AABAEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.889{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-06C8-60E3-D50A-00000000D301}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.889{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.889{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.889{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.889{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.889{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-06C8-60E3-D50A-00000000D301}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.889{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-06C8-60E3-D50A-00000000D301}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.890{D694AEB8-06C8-60E3-D50A-00000000D301}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001451387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.211{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-06C8-60E3-D40A-00000000D301}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.209{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.209{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.208{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.208{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.208{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-06C8-60E3-D40A-00000000D301}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.208{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-06C8-60E3-D40A-00000000D301}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.206{D694AEB8-06C8-60E3-D40A-00000000D301}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.142{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD88A3734D949B2C2DC8E874A649E30F,SHA256=0D13A564899ADB06E5C4B65E392B84E400939F97F13219A793A49F5080F8060E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396529Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:03.419{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53806-false10.0.1.12-8000- 23542300x80000000000000001451378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.042{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDDF2D20915A7A3C760D74A945017EC5,SHA256=99E9B268D8FBDD95BC78BE9BB48AF2181A43ECD7B197068246B1FDDD5DE0D7C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396531Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:05.694{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82855E7E68355D782A193F6DBFC3B15,SHA256=CB0258AC27395E2288F3BFD35A29FCEF2FC6DA1B71AE365AD304012B9FA16431,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:03.226{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54435-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001451399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:03.226{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54435-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001451398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:05.226{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D7B66199680D28BB309BA00CD827D26,SHA256=13FD21F64357EC271AED268432C8E4B3B69FCFACAE267EA3789EC89BA568E2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:05.173{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87ABFD888152335B950FF3EEAE4D2B08,SHA256=DFB9F6B5A76AF5A71A3E7E505FFC05AE0CA919C1824908D098CEDB3357CA2B39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:05.042{D694AEB8-06C8-60E3-D50A-00000000D301}64164616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000396532Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:06.788{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECA3550D257329C6C54589A438D4226,SHA256=B5461800E582BE60FB1963ABCA8E5A578706B9C6BF81D1BEEFA72080B4DE0293,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:04.641{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:06.187{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEEE9566924257665B85ABBB057E7923,SHA256=ED90693924F564A34DEE61449C74DD8C0D53947D7C69EFE1DCE1BA01FF45315A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396533Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:07.820{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C970351B017B9A1D4394F573B6012B,SHA256=DE139C909E1AA4A2EA4DF9689A844459DAB78816F90F75DA2ADCA11910583948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:07.205{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28C7341846921A62BC34B32DA0D53FE,SHA256=51A0B0C2A491266983E2FB3DE291260288E16DFAB4783B780BF83DF79B6F196F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396534Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:08.929{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDCD45E8F55A444E0B2338D59D88E70,SHA256=BE72341E20A3BD859D080F5C103188687785C84140DA8F58058784641DFB7361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:08.223{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4005C7C8B288A2044CC29105F8E1C554,SHA256=E562157F2FDE24C4399BA1FDB7C1B2AD3952395AF57D4BDC126E43B986E641C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396535Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:09.929{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D41E4FE4AA533961D6798E1B84A11E,SHA256=FD81AF0473D1124BCF59461522D64EBF50120CEC21C6ED4EDE3C37645C5C442F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:09.237{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C3470A223BD16A9690B4E8FDD8D681,SHA256=E9339134EA2CB970B70D08515F3C0FA9E20DF16FC6D7846A6C7E1F32B5E93984,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396537Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:09.388{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53807-false10.0.1.12-8000- 23542300x8000000000000000396536Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:10.929{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0393E7157C4C8B1152BA01E1773BD10D,SHA256=610A4744FB73F0F214E37FC4F55F163EC43B8F53FBD0714DE00B9A06CD766B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:10.252{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B414FCCA7555012D94B840432AD8EE87,SHA256=9B33B0003B0616B999E10B10597288CB338CE379FBF48AE5A75059A56000EC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396538Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:11.929{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A9E445235D962C3CAB5CC48E6B687B,SHA256=3DDDC838594B00284D68680A0E1E44E161ED84676EAAF94A552C12A33A890006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:11.267{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B6844D17E7C4786D5F0CCD050207B6,SHA256=39685CE514021F32A7B9D663F5DFB810723784E6A3631759E8CFE6B09065587F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396539Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:12.929{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A28263A41C6401FDD15F216BADD3FC5,SHA256=923C95889C9EE7F5D78D9A9C8824A73685AE900DB92F4EBE6D322658D335AE6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:10.651{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:12.300{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381CDDA0869E1F786E9D61D506467579,SHA256=6996644EEF0B5A7BFCF67CB11340B375DD88CF4A23075088A8F7E15435D7239F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396540Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:13.929{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099EB2A551585EF9FBC0E211CC4915FA,SHA256=2D038CBEDC6E0FBC88B1DB7493ED9147D6F139548804684D11B92B76F6FCE8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:13.306{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B227DDC72F08533D1A3CC53AC2595B4E,SHA256=3ACFC04FAEFA4645B37F36DAB62318DF4F84E92FB79836BCAFBAF830C3FFDD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396541Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:14.944{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8CFF3E3D003DB322540631FF5E5427,SHA256=F6ADBE2CA62E8F82F57F4ED3F298E541A191D22358182CA04BCC09263FA4CFEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:14.324{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1E64198C7FD6B447DAFE0C5EA8A588,SHA256=356346705D538F917807D4F870C3D4889F8EE4385BA04873D1C42215811DB203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396542Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:15.944{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46E6A9194FBBE6701E1ECB15EAAEF9C,SHA256=AA436A9241A693BC187FC19E04AAE6A498DAF0D3E1B99F2F00B097FB0DA6C885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:15.338{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800EF200FF646486874A681455A238AC,SHA256=B2B870843B5E8EB2246FE3DA77650B6578B10F22DD1651760C83C5E66802A95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396543Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:16.944{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E1DF0FA25994C2FBA918FECA32C500,SHA256=4C9E034CFE2FAC92A7936E549882D44995A2C5C1F239ECAA28DBF96E66FA03DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:16.353{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804B82B0D37269516E7592E68171667B,SHA256=B48BBE03755D46EBDA44F7DFBF27FBBB53F10A1DBDFC59714B6E32062A4C49EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396545Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:17.944{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F24A9A5734936663A20117BF8E6403,SHA256=703A41B5450600A7BB6DA891BE015B7B3D42E3C40224C7188FCB0CCBDB11845D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396544Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:15.357{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53808-false10.0.1.12-8000- 354300x80000000000000001451415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:15.652{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54438-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:17.383{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0CF521F6E3619977C17C2D02B83F4F,SHA256=FCE038450363441798FE954D528895A5FCAE5C4FFCB32B19E4DE22E1BEEE29B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396546Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:18.946{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203025ACF369B342A61F6AC1A374EB52,SHA256=8A221B12F7D314381BB20D5165B11ED7CDB82FB12237375B7B74DAD094910AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:18.400{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9C6528C40D8A1B846A4B9A763ECF6F,SHA256=41BF58767A69447878EB8ADF10C392DD2E3F17BE5330962ED2EB759C391EF528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396547Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:19.991{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3474E93BFD517488B01CAA845BC3EF,SHA256=D2130EEFB9A92C15ECACE766EEB30F681EA66FC852825AF9B9D7900AAB3097F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:19.449{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4ACB77455961554FAB46994B8FE8978,SHA256=E82F3B588CE6ACD7F9D9DFDCF8C9C1DDDB8F58E83A79056CEC2D96AD87A8A028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396548Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:20.992{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1109E442C4901208C5AD1B2B9530148,SHA256=465BCA36257CAD97597CB4C922FD62F0C56EEC843C56DBF05B5AE3956EBEE4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:20.479{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F831C5E8B5D7CE8BF735D6AD1B75BC,SHA256=99705A7DCF2F56E8F084C941F546ADA27A19CA3E869B5245A027D5A65E4AA64F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:21.515{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8359D199555621B2BC915B64AB5309,SHA256=9F616CE9C2AE00EB7CD24CF2E6AD3C623CE83E3195BE48D9740DBE23F3BEC38E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:22.529{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73624745D0667F71FC9D8A166CED685C,SHA256=52D34CE2134412EA14BB1CBE2AA69CF6B810F645F849FCB1E3FDFC4DD939D69D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396549Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:22.132{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A50D06AD1FD197A257548F43348777,SHA256=8F51E5A8F9B7265B2E9D28DD3E3CA212D0D373A51CDC8FE92EC3EEAB15FC8C45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396551Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:21.373{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53809-false10.0.1.12-8000- 23542300x8000000000000000396550Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:23.242{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FE03ED205500A3E9656A3863A5B0E2,SHA256=97F679727BE1EB172A795137A99FEFA1063B89EAE615EC8A717D654C0906F044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:23.544{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4115FBF5D6D450222813E70F3660F9A8,SHA256=3D5788F7E33C10B94229DFFFE2080B6E0920E28AC12BB3B14CBE7EE4C185F18F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:21.682{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54439-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:24.559{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFD9C5C62EA3367FD3A4B8B0221A697,SHA256=3A1C42A9EE17374CB2315D3FFF289E01ADC564E9592AEE7C641B56C39B9ED09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396552Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:24.242{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F84F6920D5A6020447C4DBAF9C0EE6,SHA256=B60BF8B00B43B7F5A009769E84B07934897A5524FEF4C4C2B7D54395A907596C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:25.573{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD740FC51DDB724797FD9C5BBE0CFBDD,SHA256=F9967A458F79FD59C17E5C1F6A326F2C4275D2BA7D5D1C65B2305907C87EEE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396553Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:25.273{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E3F4B77E684644363AF1154E4CD8CD,SHA256=79ECA383F2043FDC11036FD795B42A3DA6126FBB8CC7513165A4CB152A1FC1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:26.590{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B26AF7C40E3B1C5AD697773BA282A43,SHA256=DD2793A88685BE960A99F39EA80E78820438BACCDC3FA33FD8E5143E38FE81DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396555Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:26.309{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022884525859B3706928F893698D9D70,SHA256=23410E9271B06841882550627E86F61D0CB354C3E5A46549497EF9ABD80981A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396554Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:26.289{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ABB4F74A97AEB7C0071A6B49E64DE473,SHA256=3A4D99F1C91483EAF0C2A2A575553DCC412840849B4777B6371D8CC5E35F4AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:27.608{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4531594FC57EDAD0A998C483E4DD40E0,SHA256=531B9A432E651069D8C8AE05C5E7B6021D7AD81D67E57CA83234418F23D50C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396556Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:27.320{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC4A838B0AB7174971FCE0D5B47D3D6,SHA256=C04E52F13ABBC24F82BC18381DD824422FE98472F739F771F8DCEEA3E7B68E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:28.623{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF97D6E44A30FA43A42EDD631C3DFF3A,SHA256=541527189A7028FA14D39597849408BAB390FC4BEDC6BA7B14FA88726AC76FE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396558Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:27.342{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53810-false10.0.1.12-8000- 23542300x8000000000000000396557Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:28.336{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C155232A7C1A5FA65711AB2D91B14C6,SHA256=FBE17F7C51B96B255540A7E69888CF043BB068AA443312485C901FD5D19EBA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:29.637{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D1577CEBCD4E48066695ADEB860F7B,SHA256=ECD0BAA6FD550A969C2927E16EC209025C3F1825DF5830F5680D264F8ABFD41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396559Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:29.382{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACB2F2B88AD9FA5EF16E4FD32EF0565,SHA256=629C093694DB586DF671AAD9BA4C71645584CE3D2AF813C8C48EC26C63BA0715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:30.652{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A68346A330A54049D12BFF79C2910C7,SHA256=89E6470C294DAB0E911EA6BB6512E7435E5B225AF9043F146B588AB586F88727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396561Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:30.976{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396560Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:30.382{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB714F16D8728A2CA935CA331D57DBAF,SHA256=EAC215314578670ABC103B9093D60B16E70C29FB15E9A3EA48ED5489E0F93EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:30.289{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:27.707{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54440-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:31.667{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C723C580FCF6F0E7C0B56EBB54514D68,SHA256=9B329949EF64DB5DFD36EEB5CDF33BE3F618EEEF06C33E465900C52CB41F62EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396562Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:31.414{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A25941F2576D692139F6CF5AD953D6,SHA256=F83B9F56AE3C7978C660B098C5C4C225D27FF9506DDE1A7D2DFC3A98B3CB086F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:32.685{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3BB868FF7AFD32BFC9CC55813BC433,SHA256=F332FD89DDCF106E872513396353BB022E9C8C3267309385F64550A53B4CC631,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396564Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:31.155{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53811-false10.0.1.12-8089- 23542300x8000000000000000396563Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:32.461{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415FFD866C017DF7E31FE50E572AD50D,SHA256=26B11E4743C1B9F284DE6D1BBF39B576A25C997B9737EB5147E2148C25E8FE40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:29.736{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54441-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001451436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:33.881{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=35DEE5FA3497E469B711903F0E08B9C1,SHA256=1A94EB982D32DB998183098E6319E5DD20E6A44AEDFB081E9DB1613FD9C63CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:33.702{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36FA0DD84BB8DD22E5B784ACB898D31,SHA256=57799500B4AAC76C386067B159F8069B5EAE9D2EF678D7C6E82313343D35882A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396565Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:33.554{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659840382642F8EF94693297FCA8ADCE,SHA256=BF333AC838AA1A67089B0D0EB2AA00B4FE4B2675ED4FDAF72760CC31C6F0AF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:34.716{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F504BEC1225F103D17FF8268E5D6A1,SHA256=48F1835AAD4794F6E2B952D308DC340FA4B9B1D2490C577A9B7E044C747A1F93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396581Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:33.389{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53812-false10.0.1.12-8000- 10341000x8000000000000000396580Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.789{7F1C7D0B-06E6-60E3-450A-00000000D401}29242728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396579Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.601{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06E6-60E3-450A-00000000D401}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396578Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396577Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396576Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396575Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396574Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396573Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396572Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396571Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396570Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.601{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396569Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.601{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-06E6-60E3-450A-00000000D401}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396568Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.601{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06E6-60E3-450A-00000000D401}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396567Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.602{7F1C7D0B-06E6-60E3-450A-00000000D401}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396566Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:34.554{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2028DA79E9EAA0D00EF900E87F7B60,SHA256=AF036B5DFA2B3EE06EB1A087BCFA0F722049548DD4811168EBEDEC157CFABB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:35.731{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9988E9AE20435B64CD78D76DC5651AF8,SHA256=55940B9C094EEFA786AF8C32C46ED0A8845B6FCF49973687745ADE97BD2CE19E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396610Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.882{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06E7-60E3-470A-00000000D401}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396609Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.882{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396608Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.882{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396607Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.882{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396606Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.882{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396605Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.882{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396604Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.882{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396603Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.882{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396602Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.882{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396601Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.882{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396600Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.882{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-06E7-60E3-470A-00000000D401}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396599Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.882{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06E7-60E3-470A-00000000D401}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396598Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.883{7F1C7D0B-06E7-60E3-470A-00000000D401}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396597Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.836{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=378CCF378DC4D26E1BAA3918358BD6F3,SHA256=AA6E408515912084785CF8765F43DC8F9CF8358AC413305E7D50FE0056FCE0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396596Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.836{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99E729C68E4AE1A022265BA5E46E0B0E,SHA256=C1C9EBE45F28423D1FAF48768CC5E50EDBAE63D3C9B36A443FF1BF383F34BDDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396595Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.742{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7705E1D8CE62F942128E774F297347,SHA256=CC91F68C19C5F5D171A3909F6D78369C4C816FAD9DDCBB9F49F03D81CFB1FF1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396594Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.273{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06E7-60E3-460A-00000000D401}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396593Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396592Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396591Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396590Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396589Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396588Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396587Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396586Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396585Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396584Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.273{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-06E7-60E3-460A-00000000D401}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396583Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.273{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06E7-60E3-460A-00000000D401}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396582Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:35.274{7F1C7D0B-06E7-60E3-460A-00000000D401}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:36.731{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C299AA76A970508338008E9D9E5051,SHA256=201C1C641AA4FBD1D71D5814C1D53C938411C8E5D93E276CDE490AAEBFFBC6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396612Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:36.976{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255B803E6A4DE373342D91D4BB280C08,SHA256=68385543D11B64B180A1AC18C3E39CB076045117DD66FE2F19F2B1A20F3D00D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:33.700{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54442-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000396611Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:36.882{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=378CCF378DC4D26E1BAA3918358BD6F3,SHA256=AA6E408515912084785CF8765F43DC8F9CF8358AC413305E7D50FE0056FCE0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:37.760{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261D475106733D492E4CA3B017C2A0AC,SHA256=AAE975B07D50B78FBE2B549FEA3478BD9D69D33135F1875E8285C70580542020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:38.779{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D74516B52BF69BCFFB5CA5F6AC52531,SHA256=5AD87AD766E1938FC82403C210B050AA357BDFA6B4033B0F314F1D21EBF72004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396613Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:38.007{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16CA3B96213BB0A70ACB79C32859A47,SHA256=91DEEEA4B4D6958BF5FF57B9FE9E5E2A8537BD756ED90CBE6379F14335A967C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:39.796{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0402201B397044DD374B0FE2A66BA62B,SHA256=7D3F8132E9958818F670BA8A747231D404CC50957FA0C0388B5A5BCC6E10E75C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396641Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.773{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06EB-60E3-490A-00000000D401}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396640Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.773{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396639Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.773{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396638Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.773{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396637Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.773{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396636Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.773{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396635Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.773{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396634Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.773{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396633Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.773{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396632Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.773{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-06EB-60E3-490A-00000000D401}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396631Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.773{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396630Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.773{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06EB-60E3-490A-00000000D401}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396629Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.774{7F1C7D0B-06EB-60E3-490A-00000000D401}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000396628Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.304{7F1C7D0B-06EB-60E3-480A-00000000D401}3561868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396627Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.101{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06EB-60E3-480A-00000000D401}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396626Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396625Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396624Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396623Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396622Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396621Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396620Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396619Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396618Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.101{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396617Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.101{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-06EB-60E3-480A-00000000D401}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396616Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.101{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06EB-60E3-480A-00000000D401}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396615Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.103{7F1C7D0B-06EB-60E3-480A-00000000D401}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396614Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.039{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C7F8E01414C2CF732ADE31C1F71DA1,SHA256=6DF36319E215CBD4036E4978094DFACFD1FBE8648E21A70F42BF154E6DB21344,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001451443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:19:39.044{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a0-0x685e734e) 23542300x80000000000000001451445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:40.810{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192068003E6718D6F4A33A175BFDDB3F,SHA256=56A63A01C9B9652F849256FD44AD96BDB2498F6F78BDE8AC90BF006556CB896F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396671Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.945{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06EC-60E3-4B0A-00000000D401}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396670Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.945{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396669Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.945{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396668Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.945{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396667Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.945{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396666Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.945{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396665Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.945{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396664Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.945{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396663Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.945{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396662Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.945{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396661Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.945{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-06EC-60E3-4B0A-00000000D401}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396660Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.945{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06EC-60E3-4B0A-00000000D401}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396659Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.946{7F1C7D0B-06EC-60E3-4B0A-00000000D401}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000396658Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.445{7F1C7D0B-06EC-60E3-4A0A-00000000D401}10561480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000396657Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.445{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5688CBCE3940E194379658C2C6E9B7BD,SHA256=6F5D3FC8A0F5165F8DEC400B524F34720FC0865C11D155254EF33DE2BDA77953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396656Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.445{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A023A80B4FC35018CC23C7D73CF556CF,SHA256=2D9C73A57468AD3E5CF0FD72E33A90B50506EB64F3E4438AA10E1D2E98BD3D12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396655Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.273{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-06EC-60E3-4A0A-00000000D401}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396654Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396653Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396652Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396651Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396650Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396649Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396648Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396647Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.273{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-06EC-60E3-4A0A-00000000D401}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396646Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396645Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.273{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396644Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.273{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-06EC-60E3-4A0A-00000000D401}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396643Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.274{7F1C7D0B-06EC-60E3-4A0A-00000000D401}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000396642Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:40.054{7F1C7D0B-06EB-60E3-490A-00000000D401}2243492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:41.825{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFAFF22B2D8588D7065010774828528,SHA256=E63D4FF5E7C3F6FD8CB14833AF46B90CC6D399DD44FE113C78DBA6CE38ED9056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396673Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:41.586{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB13DD10FB4C0D4E3C66A5E6235EBC51,SHA256=22A7BDC199F6D813371B8215B057B39DA7D60AE8ECD4B818EC1352BA13698182,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396672Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:39.405{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53813-false10.0.1.12-8000- 10341000x80000000000000001451477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.992{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:42.839{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27E266EE320E07767C19E52F8A112D4,SHA256=D592A561EC8FB87D1968727A528AC8D4BBD0D0B59509C494CAB24DE82F6F1E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396675Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:42.586{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498E787C56863EBEBB890961ED792F47,SHA256=D5038A943A97F6EE33C297F0C6CCE78ECB6E58DCA39522850FFEB928BBBDBC5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:39.679{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54443-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000396674Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:42.179{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B42D3C5D046D505043A22034BB48AAE4,SHA256=F592AE1BC096319873C8B03A95DC468C873D5CA699C97501A12E48A702AFE24B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396676Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:43.601{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A3A9C249C0A039F29AE4E49AACAEAD,SHA256=5F8D2B9EF7D3064E490A02C5EF52D5BE45E5CB823AC1946DE770CDF2AB120884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396677Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:44.632{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73505B7A75518A67683131DEAD3DED7,SHA256=064B9AA4EA80018C9E5F03F2396B3664D70285A36291C8294A624AEA1780F1E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:44.372{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA6D6F759C0B127230E1835B9F7B0E9,SHA256=D84C2117DF27A327D6901E3C1353524ACD87EFC849E294EC41D64CE08D816192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396678Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:45.695{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFDF779CF84935692673804249EE80E,SHA256=531ACC4D89F92038694943FF372AD3EF963D7FE25249F7AC4B2F3CC9BFC64968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:45.390{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C7E88D365739CCED32021831AB3E73,SHA256=FE2540164609D79055F5B6EA0976E26347E984B1AC8673564294BE5D21551EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396680Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:46.711{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B5465978F5F1A1A9FD1A6FD6E2A432,SHA256=B32D466447993A94748ABC89A7392D293ED4C891139EF269512E0DA9A4AEA899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:46.405{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1246D91208EA1D65E24FFC14683789,SHA256=2E6769BA983AC1CE6BEC68F4C77F1022C0074C3F476DF3399F069D2C19E9462C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396679Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:45.390{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53814-false10.0.1.12-8000- 23542300x8000000000000000396681Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:47.867{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A52D4869DCC534BD910CB39635D45C,SHA256=0E4C84E190BFFEB3F75538CC531CA9988F43CCA02397D7410EAD57AE18F3B2A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:45.673{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54444-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:47.419{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F12E91AC655C3EEC65FB7F67044364,SHA256=48E7C7C0D8A430DF74EB7ADFD0BB09637598334842D0005FD0E510B52F617984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:48.434{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75C887872D2399D46DA055B8FC22000,SHA256=C4541FA696CABC381231DDB13E39FBCEA82ADA853FFE3729E9959A007EF195C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451484Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:49.466{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B65F8072C0AA579E3045B96A4CED67,SHA256=8AD294A5142FAC7A2CA7DECE75C2F19590EBEC3DB140685074A37F7323FABA7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396682Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:49.086{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25FB772172E2D77EED28223D89D4EB3,SHA256=CCAC1E5632D34C497ED03403110B4A3EBB0A17EF03F78E0F0B9A4DD1FD74B91B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451485Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:50.500{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A3D9134FFD51FBB643FDD37A3D4849,SHA256=8B8914505624E07C747D6E07121775400D3B3B0C152BBF856D21528760652844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396683Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:50.101{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514B916E5B08CC4C9EE00C970BE04684,SHA256=C3C65A308DD79F472204E0D109243D6364B1EE4A387DA84180C01C0DD0B7D3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451486Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:51.514{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235F1AB33A7E10B6E5BE5A28F51C3668,SHA256=6F968A99766DA0D347682F1FBB2F613222E52DF886CE3E7BEB23D76958DE581D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396684Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:51.117{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B7B4122021A2F8438111CE2A9562B7,SHA256=09C34F3AFCABAF4792555FA416E0AFC267392A420F7250C652CA5D89820B6791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451487Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:52.529{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E8196DD0906E494AC911D156B0D1D2,SHA256=8E744ACDC585B9008544EE0E9AE7CE7C461C0E6DFE50459E75F40A5324DC28C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396686Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:51.390{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53815-false10.0.1.12-8000- 23542300x8000000000000000396685Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:52.133{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6871ACE0E556D97000408216F5C5D4,SHA256=772AF74CEEBADDDCA2F669745CE9042130D5E09362ADB1400CC082548F994DA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451489Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:51.666{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54445-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451488Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:53.562{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BDEB860568C708F3860852CD55FD50,SHA256=8C9E91892E1BEEE835331B8A1EFBCE3E99462AD078F4C98EEC0AE7EDAE4355DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396687Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:53.133{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F473ECA5D2C076F1736164101095F3C4,SHA256=D07E89E0831613BA717DAFAB61C7A80D1C04843F2427B5A65D35BFB30F2041A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451490Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:54.580{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256F07E0BA35D015738BBDA4C0EEFBC3,SHA256=376C4755F8495FE4C6437A11FFB18B2FC4BC7352D74B8B0DDDD6402056FA269B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396688Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:54.133{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47FA62340D77F9BFBE9C144972A9B68,SHA256=4B01C4C67A8FA0ADCCC71ACB3721BB837C6708E69A008C27305E85D949E5DB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451491Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:55.594{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACA0DF4FD262B2FF094BCB85FF0C721,SHA256=B4FADA3F67DFB4CF0B67DCE9DCBC54623845CCC57C22DA33889ACA412D16EFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396691Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:55.586{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D903B6214F7006E70305A5F83389B6D,SHA256=EB63E431DE56A936AE99C4527107FF8BC52F146328C4F1CEC25EDD1BC5FFB76D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396690Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:55.586{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1A60D575F775B366EA877BE791563D9,SHA256=F8D9EE5777C85A51417EA25C1ABA926F0615D91C67A1580CC9EDC3866B18C019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396689Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:55.133{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4226C74275B83AE5AE9D2C2619A368DA,SHA256=C4CE1443156A1F3B1E3D06AECB62FB542C65B96CDCF1FC6048D63D61DEC064BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451492Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:56.595{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B6E70C56D0291E91D2E32DA7C4A6A4,SHA256=460B5C976A5AEBDCD9740B52CBA94E7B396E10E4C5854C049AD1D9F4B9D03C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396694Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:56.148{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD1EBC79648B070F6C56899D2C33D8B,SHA256=845E0673DAF48308973C994FE05D1DC3410E930759F1CCD4C38F947DC0000A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396693Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:55.065{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-53055-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000396692Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:54.548{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-2838-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001451493Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:57.609{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DD83B68B145F42CC9310924512861E,SHA256=1C6EC0BABAE855F2D25A42D7919E3DB8816AB596C4CE2D9D90C2BE50EC409B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396695Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:57.164{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24E436B7C8E14C21F02EBA76B26DCB2,SHA256=CB9947FF995A054624DCC5D10966ED7FD9C609DE8E3513B2BCF0A6DF96E33295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396696Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:58.179{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C269516EE5110DCDA6211B1BD529E2BB,SHA256=CBB73178A9727001B2AA5D6DC161991F9D8C4C3F886B03A5975F22D618CBCE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451494Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:58.639{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AF552F8474AA0571FD22FD1C2F0A4E,SHA256=16564F0D8D77FED07DF6C9E6DD5EB87EAC2993592B18C54880943A2540B226C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451513Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:57.661{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54446-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001451512Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.822{D694AEB8-06FF-60E3-D70A-00000000D301}66804324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451511Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.660{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-06FF-60E3-D70A-00000000D301}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451510Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.660{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD76EFB2ACE4C165CA2F728E6B954E53,SHA256=7F5C0F095B5466EDA8F6A736C0485D0FC1100CC15A3FF7154C8799D320A152F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451509Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.660{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451508Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.660{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451507Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.660{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451506Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.660{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451505Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.660{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-06FF-60E3-D70A-00000000D301}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451504Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.660{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-06FF-60E3-D70A-00000000D301}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451503Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.659{D694AEB8-06FF-60E3-D70A-00000000D301}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000396698Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:57.405{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53816-false10.0.1.12-8000- 23542300x8000000000000000396697Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:19:59.179{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E097130B44C8B12592DF68A5B7FF11B,SHA256=2985A8364216D73CEA3B2471853BF9EC1446AF0BFD3598F4671333D8FFE7B595,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451502Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.076{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-06FF-60E3-D60A-00000000D301}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451501Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.076{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451500Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.076{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451499Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.076{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451498Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.076{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451497Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.076{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-06FF-60E3-D60A-00000000D301}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451496Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.076{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-06FF-60E3-D60A-00000000D301}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451495Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:19:59.077{D694AEB8-06FF-60E3-D60A-00000000D301}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451524Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:00.674{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF99A7B66CD26D9B09C6E430416FE18,SHA256=F5B38635240E0FDA58710A7DB29BB9674C68B3F7DE4BADC7EEF4195228878A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396699Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:00.179{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE80B4D456CDCD74EEF7CF2E1CE2DA4,SHA256=D09502B94A1FFCE6A1F7FF1F33E8BC7C66E2A5773E006650D9CFE62866C1F6B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451523Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:00.275{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0700-60E3-D80A-00000000D301}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451522Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:00.275{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451521Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:00.275{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451520Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:00.275{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451519Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:00.275{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451518Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:00.275{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0700-60E3-D80A-00000000D301}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451517Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:00.275{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0700-60E3-D80A-00000000D301}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451516Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:00.276{D694AEB8-0700-60E3-D80A-00000000D301}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451515Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:00.106{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F83379544ABA44BFD9A07FD21EC997F2,SHA256=DF05313CBE5251709371B8DFA7805131724CA5EDCAD351AF9E1199CD38C35369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451514Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:00.106{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49E5BE7869C452E810A8C772A2005B86,SHA256=2C36DB072B24D91DEF467E5E2F11C52531438AAD0F11B0F658CF15CBE58A6A94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451529Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:01.920{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001451528Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:01.920{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451527Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:01.920{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF144a9a5.TMPMD5=7CC92A355EA66A219E3148903E63F654,SHA256=CDE288AC5D74287BFA2D9257B236405535586530C59E6CD093A4AD9FE7326A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451526Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:01.689{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2F762192660CC4D0ADB4BDFE29F8C4,SHA256=49030DABA14CF5DFA52DCE0DFCF7F4F5708F13ADBEB4F1C1238C099AD97A96B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396700Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:01.179{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BED3718011D64121D04724562EFE7F,SHA256=F31611229E4360396BBC6A0C8C86966E82DC25A045C5629B4015AC3F7105B331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451525Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:01.289{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F83379544ABA44BFD9A07FD21EC997F2,SHA256=DF05313CBE5251709371B8DFA7805131724CA5EDCAD351AF9E1199CD38C35369,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451538Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:02.887{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0702-60E3-D90A-00000000D301}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451537Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:02.887{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451536Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:02.887{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451535Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:02.887{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451534Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:02.887{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451533Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:02.887{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0702-60E3-D90A-00000000D301}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451532Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:02.887{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0702-60E3-D90A-00000000D301}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451531Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:02.888{D694AEB8-0702-60E3-D90A-00000000D301}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451530Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:02.703{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A971D7BF3B9943CA6B2149F3646FFB4,SHA256=8E88765315A095122B5A7049212E9783CBDC9CE9E17C0E765858F29912081039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396701Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:02.195{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDA70B30FE78F2F8A2157802EC7DEA2,SHA256=DBBA2CC6AD24F8D89852AB50F22608D963051954D9B6286EEF5D35670A587071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451550Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.933{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AF7D372FEDBCA0CF5CE179B76A4D255,SHA256=FFB8F54DC20DAE996B423A5D720E188DD3913D075197DD80F1DE2023BA774FCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451549Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.755{D694AEB8-0703-60E3-DA0A-00000000D301}64366048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451548Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.717{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=873C866F8126D4BE3CB9E4B8E8992064,SHA256=BF013C4BE2B161D20C18F693714030D46815FF8ECF5621AF99930F80B17B5CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396702Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:03.211{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71EFAE37B80A740BFD6EF8C7D476B1B,SHA256=78740FC50A3410E230BD6CB2C93AA03F47D12B09943A0E5704197235799BB0FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451547Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.571{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0703-60E3-DA0A-00000000D301}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451546Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.571{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451545Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.571{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451544Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.571{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451543Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.571{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451542Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.571{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0703-60E3-DA0A-00000000D301}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451541Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.571{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0703-60E3-DA0A-00000000D301}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451540Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.572{D694AEB8-0703-60E3-DA0A-00000000D301}6436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001451539Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.034{D694AEB8-0702-60E3-D90A-00000000D301}57565832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451567Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.932{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0704-60E3-DC0A-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451566Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.932{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451565Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.932{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451564Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.932{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451563Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.932{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451562Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.932{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0704-60E3-DC0A-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451561Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.932{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0704-60E3-DC0A-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451560Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.933{D694AEB8-0704-60E3-DC0A-00000000D301}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451559Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.732{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E7CB3EC82964AA06ADD9D59A0FAEAF,SHA256=ECEA55F1C24937E9156BBCCAF20AAFA17DDACE081AA46811E3BB70C1B2F7682F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396703Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:04.211{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C310BB012DD20A3C0C539BCBCD3DB237,SHA256=006BF99467B3638AE04B9D2449B92998B81967D7435D51A794F9900369BC0C1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451558Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.254{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0704-60E3-DB0A-00000000D301}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451557Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.253{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451556Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.252{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451555Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.252{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451554Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.252{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451553Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.251{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0704-60E3-DB0A-00000000D301}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451552Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.251{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0704-60E3-DB0A-00000000D301}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451551Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:04.249{D694AEB8-0704-60E3-DB0A-00000000D301}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451572Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:05.753{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921A8F7A61DF88C7BA99693A1DF3B615,SHA256=91743836C50E15B81C375846D79075A5FBD53319253E1162C070FBB21F649238,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396705Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:03.421{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53817-false10.0.1.12-8000- 23542300x8000000000000000396704Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:05.226{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4C2A5119976CFA0CF4C18077FC1F5F,SHA256=BC02BB50A5DFCE588EC4CD8A1B2EFDDCE4012EDDC5121C24891F0E2C60FE9E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451571Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:05.254{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E1D9D563C3330043999B207FEF47E83,SHA256=0E87055736DA5D7ABD94CFB0914BBF2511E1C8CDDD50A7A9510978C480A04070,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451570Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.240{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54447-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001451569Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.240{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54447-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 10341000x80000000000000001451568Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:05.117{D694AEB8-0704-60E3-DC0A-00000000D301}47844264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451574Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:06.768{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B027E8BEF0FCCF9609E6EA5575DF829F,SHA256=5CE9A4CCE413E50D6D4BB19F9FF2FC94E7EC23B54B7496E2377C71943D3CD73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396706Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:06.320{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4888E148C99CDF9F128324B60C44D4,SHA256=342B9E064627D4968D63F11E7C9C2E4F05E12D8F44EF5EA7A2922ED99F9495CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451573Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:03.685{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54448-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451575Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:07.782{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A52FAB3CC852EADE2CA01409A108E25,SHA256=7316E193411C6A482956136F944B391875B5256306D4CBFE0F473F98010BE694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396707Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:07.383{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5979ECF1133740D318D5D2BE799281A0,SHA256=7BBB34D2C1F720302396D19B5C901BADA43DB7B768626D9BE2249462CE9FD989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451576Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:08.797{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDD47ECF9F16D7B33128EDD9AEADCBA,SHA256=2B4DEAF0719B6D085C9793E09F231B8C53498E5F47BB4BAEB8BD62F545A3F3EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396708Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:08.383{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A5CDF2DA4EEB25E51E2A3D37657C5E,SHA256=90B3F9D474570293B013CB81A241B1FC83787EBF36F9C8556F4B2BDB9A90B2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451577Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:09.844{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E309855A85C61481A9C1F5D4E4378203,SHA256=1F3A9159556C3D891DB731D9A587C9FA209A20FEB3DF02D4DBFA7CD1C920C125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396709Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:09.398{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896E18B3C4864B8DDF3BDD53FCDDEA01,SHA256=A65133C55E31A82ABDC2BF81F8634E790EE876237A5244E8C9238AC47B07DCB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451578Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:10.879{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E90EBAD38742E6E8CC2A5D2CE32909A,SHA256=6E7672EF25D1BFB561FCFC99C5753B8FB062020EE6FA0E8F99053128CA99EA92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396710Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:10.445{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FA7AF959A96E8FDB312B2DB20DE420,SHA256=BE79ABA3183404EA1CE1F593890F8A82D1E0F763220BE3C9B488EBE3A1390FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451580Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:11.893{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF779F9E2D0570392D54648499FB515,SHA256=F13EE8403DD7D28102DFEEAEDD1825F5311E463094C625156EDD62C6F83578C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396712Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:11.445{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CADA79BF9127691FF8C125C85255155,SHA256=3EB2DF4050DD63CA552E594C08C6A4D0F68C9605DFA46B704191FE28DA0CE1E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451579Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:09.678{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54449-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000396711Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:09.421{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53818-false10.0.1.12-8000- 23542300x80000000000000001451581Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:12.907{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6BC7513C9A5F1D6A4EE618E75BC5E8,SHA256=B1CDE4AEE6BD1068E0E6BC186140D0BEEF048A0426362549B175A4B75480BBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396713Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:12.461{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B086C81B23AEF8ADBEEDA014DDBF4AA3,SHA256=758755A88F65ADF426DD4CD0CEDECC421B7A48F22D11EF39349EF9710744BECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451582Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:13.922{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E9633FB1A83D6D4BD95B5DD157FFE9,SHA256=2FD82A5500650ACA5304592635D3E93B7F3A72F611C6097745A37ED9186DD436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396714Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:13.508{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B7AE79F3D6547004B4A697B6A09C94A,SHA256=C0165DA8BCA54033E8EA626471D9C2BE9F9214A0DEB19614C965127076A58C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451583Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:14.939{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6347FAD371F1E0DD9EE620EC06A7BB,SHA256=7A6773344283A8EDA788F2AD7C49A012292A064B298AC87C406C50F27D16BE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396715Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:14.523{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F08740C5A12FD66E3C4F0734438E02C,SHA256=AA977A72BC946DD95B65F6FEF68F4BE2B5392254363529D115D8308F6378F37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451584Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:15.942{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31485CE0A8023FD38FD093B4D644A2E2,SHA256=740A00E2F07952CCCE899865C91D2C94F377D76CF783070E034C38629E09B895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396716Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:15.586{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696E2CA79223D8522FC515E6CE8486F7,SHA256=3AB495AE00E9A62E3EF9DD4EAFCC54CBF514492B69DB6A01AF2B4DEC9BC57D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451585Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:16.957{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0167B76C86E4076C8813E3204306830,SHA256=30C09391B7138AAE6F85178C7D98948FC582B215130BA9CC33E0E0DF4CACC0D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396717Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:16.617{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76A3F7A979245E6C78926C4A8677146,SHA256=6FC0C6017A2EE4905B6A38EBEF6F2CED6310806017D326295B2D60C6C07D95B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451586Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:17.972{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92AA7E097B956EF792BBBA0B65ACDC9,SHA256=B14ADBC5D457254E72E7FC396F032D4E48ABBDCF3F23B396C85BCC406BE5C432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396719Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:17.617{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D9AD179E5FBE4B956E485F3A3BE169,SHA256=BFE52C88D02ED5174774BB6C76332C6214FF643A500438BF7549467371AB470D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396718Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:15.421{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53819-false10.0.1.12-8000- 23542300x80000000000000001451588Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:18.986{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EE67E33B6C4258A55EF95BCDDAAC79,SHA256=10FEE88C6BD00B1300A0CC699C23099361810DB12F6A8BB98FEAFAE6396CDE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396720Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:18.617{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49E77EDD35BF3B848B0C8E0843FC38F,SHA256=ECDE4386BC1EBE2577FC5AF352C43DF96E5D3B3595D3C20CCE9AECD452623FD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451587Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:15.672{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54450-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000396721Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:19.618{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9330A74C46DF4A62976B57B52BF74085,SHA256=1222444423DF3CFDF82510333DCBF585D2F3E62E836AA80A708E8C5615CCF2DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396722Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:20.631{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2FED84226D8F2038C39CF3C47AC6CA,SHA256=ECF8958098296FBF007B7B6FC99C108D1B16B8A60802DFB10E07A2EEB4BD3818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451589Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:20.017{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C887F88EA35F415C169E467611FA7E,SHA256=5EF332FE595340FA001878C3D3C92A49DDD9406542FAC6090CD0722DF7D9B42F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396723Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:21.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778C5C8CE52F7C7D6602C8DC875949FA,SHA256=1B32504A1970FF2B936D1E7BB5577727ECC2B3751CC4E6ECBAA3FD38F5BA5F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451590Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:21.034{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5862DFE56C54C35BFB9AEC3690B0387,SHA256=4211AE98B97D2A94844D134B2711695589D3A864582C3B965DCDEA17A7016293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396724Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:22.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645799023A570A56CD59A6B4CBFAADAD,SHA256=A1D191BA6DFCA06068CBF2A4336DB3FC35B6E23453A2EA4FA22864882483719B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451591Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:22.068{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A249C6FFF2C19B77D514799B4481C93,SHA256=148845185E302F8AD325B22F45263B3BB663AFCE197B6C3496FD0479B2F23B79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396726Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:21.420{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53820-false10.0.1.12-8000- 23542300x8000000000000000396725Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:23.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE64809507E7819F71912D5C2DE056A,SHA256=7162496256EDE2594DDDCAC43588AC488AA8175318057F210EA0137891180045,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451593Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:21.682{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54451-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451592Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:23.098{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A2799F3755398DCC0D70B929E21981,SHA256=40911D3E868C79C1A83A2963760702D79103153E703010F0625892F9F8074E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396727Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:24.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478E15E1B975061A9B6E90126D1E321A,SHA256=060F60EA6D8945A415AC0046BBDCDCEFE97B966E8304EBF9FB34F1ABA429EF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451594Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:24.112{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB48CA5AE6429BD83260F231AA8F96B9,SHA256=0B549A2FA2CF71F2E0AE4AA236A3E9E69713CAC982EAA9D4166B61F937E539B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396728Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:25.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6BE73535F2B2709E227C8B5F5BDF601,SHA256=2CC7D7A3BF6FEDC80F67E3CF073BA219C60E3E8F6B886A4DE76E9C193EAA960A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451595Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:25.148{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C824EE25F2AE27CB348C45FABC680B12,SHA256=5FDE5D24303FFF47C091628611955D06FA8C5871A1FD5BC6825EE469CE608B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396730Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:26.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68EF4ED186AF64D53C9DED4A7DA27A82,SHA256=C8D1AE8D94BE1D621801ED3C2455E346BCAAC8E771EE0C4672BC53D81E930665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451596Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:26.163{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FA1188EE0F9663D14D1036BAFFDCC6,SHA256=EAED3E5000324EBA894DF692514E562F7A0DC8EE1FA2C8136D224A9151897A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396729Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:26.290{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C8127F4F7EF8E191647B193FD78B6F84,SHA256=501A4E1B822ED203451FA9BA7F670CE053D3C22E5CFD338DDEAC4239042A074B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000396741Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:20:27.760{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000396740Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:20:27.760{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01452117) 13241300x8000000000000000396739Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:20:27.760{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77198-0x2382e46d) 13241300x8000000000000000396738Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:20:27.760{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a0-0x85474c6d) 13241300x8000000000000000396737Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:20:27.760{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a8-0xe70bb46d) 13241300x8000000000000000396736Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:20:27.760{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000396735Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:20:27.760{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01452117) 13241300x8000000000000000396734Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:20:27.760{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77198-0x2382e46d) 13241300x8000000000000000396733Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:20:27.760{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a0-0x85474c6d) 13241300x8000000000000000396732Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:20:27.760{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a8-0xe70bb46d) 23542300x8000000000000000396731Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:27.635{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00269278AFD2567BC43F28DB3352207D,SHA256=9E2BE99393EB7BA2F145040163274D382BE45A5F3384A7E3FB68482165CCEBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451597Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:27.193{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6EF0EF3ED7FF3E5D64FF43FB9C399BF,SHA256=0A6143D5FDEB16E1342AC51B8E619E4AF5C80B187923F4B3CA70F78898560A47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396743Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:27.409{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53821-false10.0.1.12-8000- 23542300x8000000000000000396742Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:28.635{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693297B06F14D6E6ABA7ACCDD315FDB5,SHA256=FD89B5977DD7316F762929A4D34AED80D2767908EE5789B5CF5D29B8EB3AD6B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451598Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:28.208{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F3CD81206CC28C48D16E9F7EEF4B723,SHA256=C2713C36CD4381BAD96749D1F4E26B47BA83F175BCBCDC2359BFB9FE77C7DAF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396744Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:29.635{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69110582F7269F1C9C079F1AAD13C0DA,SHA256=D55949C3ED5AE95510F1907173CCD40753CA43E08979B6D775436B79AE7817DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451600Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:27.697{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54452-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451599Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:29.225{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB4506B5744646311AAB4A1130A3011,SHA256=3CD99881320AE95822228E8EA3CDFD2C4496D59A615BDFB5953070AA6F07D3C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396745Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:30.635{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A38EF86FE48F2C579E13E08F397FA8,SHA256=8B4D08C9187A800B01A82BCFE2A57FC9137F6085886CA04673623FFEC98B1C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451602Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:30.306{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451601Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:30.244{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD74888DB13B0EEBD5B14B68DFCBD68,SHA256=4D01640672807A96E9A1CA37FCA008EA1E4FAE5ECE9BB8DB410BCBD298B1FD65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396747Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:31.651{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549723E0231367E54BE5F2DFDA65308D,SHA256=935FFEDC4AC682874746357EF049EC18C7A2F1B49B45444A347AD37F00F142A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451605Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:29.743{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54453-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 13241300x80000000000000001451604Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:20:31.605{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a0-0x87b29d04) 23542300x80000000000000001451603Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:31.258{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8911EF6B7A2299AEC09155FE0B3CC5C,SHA256=7FD29AD551444DC36879275B78F9A4DB409206B4D2096CD1EE11E42D774C3511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396746Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:30.995{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396748Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:32.651{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C604B8418AA6203A2472E930280D3D,SHA256=5D546D1862675C668401C8CF9B0E0C178452D0109AC756F5963B67936077EF8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451607Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:31.041{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-201.attackrange.local123ntpfalse20.101.57.9-123ntp 23542300x80000000000000001451606Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:32.273{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA92DFB998F296C0796ED33AE8CF695,SHA256=A1B3764F705A87FF89002D13BB325F02D84C23B730B1FE305D1B7406EEC60722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396750Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:33.651{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17751A09934DEFFD20BAD9EF48439CD5,SHA256=C8E4D83132D1E73EC6B67127BCBF30EA90975A565FFE1B5C5DA0C0881A50E56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451609Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:33.886{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A0D034DC6214614DF9D9578E6EBF6391,SHA256=C6483C487ACABF3E2434632BB2248679B96057A3A06EDBA19ED64C395A677A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451608Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:33.287{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D45F4A61DCB843810D10A968A338A9,SHA256=20B561857BA243B34417C92AE8277819A8E697881DB06958409553E71DAEF8F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396749Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:31.174{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53822-false10.0.1.12-8089- 10341000x8000000000000000396766Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.807{7F1C7D0B-0722-60E3-4C0A-00000000D401}24681700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000396765Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.651{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE3FA9BF686D4DB16202BDC929289AF,SHA256=88F335CD7D4F7DF272432C3DD642D30AAFA8C17009AA0DD1CCF80F0C5A852078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451610Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:34.302{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8C113BAD6D5545282E62DE0313F443,SHA256=AA6EF399380B3A37ECA3E8627E074F43999A8D8289E73DD678D011B3F82603A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396764Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.619{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0722-60E3-4C0A-00000000D401}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396763Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396762Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396761Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396760Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396759Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396758Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396757Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396756Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396755Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396754Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.619{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0722-60E3-4C0A-00000000D401}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396753Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.619{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0722-60E3-4C0A-00000000D401}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396752Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:34.620{7F1C7D0B-0722-60E3-4C0A-00000000D401}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000396751Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:33.377{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53823-false10.0.1.12-8000- 10341000x8000000000000000396795Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.791{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0723-60E3-4E0A-00000000D401}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396794Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.791{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396793Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.791{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396792Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.791{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396791Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.791{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396790Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.791{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396789Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.791{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396788Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.791{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396787Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.791{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396786Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.791{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396785Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.791{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0723-60E3-4E0A-00000000D401}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396784Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.791{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0723-60E3-4E0A-00000000D401}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396783Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.793{7F1C7D0B-0723-60E3-4E0A-00000000D401}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396782Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.651{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA93A05D3434E775C280FBB985A0D3B1,SHA256=2BE420711FA10C697935092DCCDF85CBA8AF84CE00FFBE146286A3AA192FCF6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396781Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.651{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67636A6E761CD26D79DF2E29A7954E11,SHA256=CE1FDAF64045B382C9CEF999DDD9AF8369DC294213A00067D20B7FBF1E2E0433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396780Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.651{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D903B6214F7006E70305A5F83389B6D,SHA256=EB63E431DE56A936AE99C4527107FF8BC52F146328C4F1CEC25EDD1BC5FFB76D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451617Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:33.470{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54454-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451616Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:35.484{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=07C6C3834BCDE3DF410948F432560864,SHA256=849FFCBE4933F211B23489CAD562EF571E6362CE49B6BF10C7288E1598A45A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451615Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:35.484{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=7F1BDF08F64A170B78BE8DF68E09D156,SHA256=D299CE7CCF02B38CCD705AD1459D7E86212A80F61B9729B18F712C162D60A71E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451614Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:35.484{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=BA9E2AA1E0DF27BA5301A5D703A73FAD,SHA256=08396CC76259916C1FB8CE834415EC3B45E514DFA809BCE19FF1E23103921EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451613Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:35.484{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=8EDEE8137684DB2A659A7A8235F31F69,SHA256=B17098E0B3380C8B73B0928E94D5CB188515E8485F6915876B0AACA133F0F425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451612Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:35.484{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=09237997D4F77B69921E126EA4BCD8A6,SHA256=10D2B384FDCBEEF794477C3651FA2D0C8D5E12A86C998C42FD322286C89C7804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451611Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:35.318{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DDCADE6DEE2D9EA012ED3E3D52D5EF,SHA256=78AF7F0C0AFFB42D7CD7D6A344060562F28A6B44C239EE6A62FFA0646F6F2D61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396779Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.291{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0723-60E3-4D0A-00000000D401}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396778Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396777Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396776Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396775Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396774Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396773Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396772Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396771Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396770Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396769Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.291{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0723-60E3-4D0A-00000000D401}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396768Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.291{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0723-60E3-4D0A-00000000D401}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396767Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:35.292{7F1C7D0B-0723-60E3-4D0A-00000000D401}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396796Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:36.651{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E9F4FD819C4A832054081F76F51B09,SHA256=03DD3DEAA4F31BC83E4F792740FDB3CAC99E054070ED003D14CB5066841011A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451618Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:36.336{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B88205EE7C38A7DE954F309B30B245,SHA256=3D1D8FDC31FC9B402592D4F657AD517A71A8B990A80DB8635E99E675FAE4A316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396798Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:37.651{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EBEC98A661E28B8F62D4C9E2759757A,SHA256=B733633EABF15EADDCEA457DF4FDE3BEA7CF1F3D64679A8E17DD1AFEEF2D8471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451619Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:37.351{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CE4675419983AD4BC9CCE165C28B0D,SHA256=673AF7754AA754DD291585AB20B5720BC192EE7E8B4DA916942120850F380A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396797Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:37.010{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67636A6E761CD26D79DF2E29A7954E11,SHA256=CE1FDAF64045B382C9CEF999DDD9AF8369DC294213A00067D20B7FBF1E2E0433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396799Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:38.651{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BFF0D65E14CA32CB7C0141D834B920,SHA256=2FC0CED559F43DF9663232DC462C87AE429731F635B208092F01B6E1302FB684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451620Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:38.366{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D41E6342A4825BF97F1CDDA27A42B22,SHA256=269733BE5A12C25D101D0437B6CEF41295428D92934B8D590F37D36199E248A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396828Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.979{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A930307619C1E24FA27D75A15A8AD617,SHA256=B6ABE418B75260FB0C49A1C4959BC632D8019A2AE436809CCB92547A51E3AFA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396827Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.807{7F1C7D0B-0727-60E3-500A-00000000D401}30562700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451621Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:39.380{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E484797605FF7C544C24EDECD75EED04,SHA256=64B208F6D9275A1B386FB21DD60AC3B067BD771F51A1A0C81C672C1255D78F8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396826Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.619{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0727-60E3-500A-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396825Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396824Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396823Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396822Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396821Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396820Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396819Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396818Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396817Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.619{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396816Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.619{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0727-60E3-500A-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396815Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.619{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0727-60E3-500A-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396814Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.620{7F1C7D0B-0727-60E3-500A-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000396813Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.323{7F1C7D0B-0727-60E3-4F0A-00000000D401}18881624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396812Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.104{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0727-60E3-4F0A-00000000D401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396811Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.104{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396810Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.104{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396809Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.104{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396808Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.104{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396807Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.104{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396806Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.104{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396805Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.104{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396804Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.104{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396803Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.104{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396802Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.104{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0727-60E3-4F0A-00000000D401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396801Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.104{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0727-60E3-4F0A-00000000D401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396800Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.105{7F1C7D0B-0727-60E3-4F0A-00000000D401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000396857Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.963{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0728-60E3-520A-00000000D401}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396856Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.963{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396855Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.963{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396854Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.963{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396853Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.963{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396852Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.963{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396851Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.963{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396850Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.963{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396849Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.963{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396848Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.963{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396847Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.963{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0728-60E3-520A-00000000D401}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396846Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.963{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0728-60E3-520A-00000000D401}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396845Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.964{7F1C7D0B-0728-60E3-520A-00000000D401}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396844Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.854{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9289CB830DAE55BA2C3C415CCE8217,SHA256=EFB25F3C8A418FEE1E3D1681EDBE7E1463652DE42D667151266108B079430F08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451623Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:38.701{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54455-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451622Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:40.395{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981519C6E237C3D34AFCB951AEDBE464,SHA256=CD2D13E3C0B4F2481184EA5F1D9B2B63A591A40435B6AB90604C8FE5EDA979CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396843Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.479{7F1C7D0B-0728-60E3-510A-00000000D401}2636108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000396842Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.323{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D0789D97F648F366D0C4CBFC41BDAFB,SHA256=70457B976E31306A7D24187EEAE338467895CA9272300F037F1AFBB6180ECAD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396841Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.291{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0728-60E3-510A-00000000D401}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396840Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396839Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396838Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396837Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396836Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396835Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396834Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396833Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396832Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.291{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396831Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.291{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0728-60E3-510A-00000000D401}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396830Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.291{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0728-60E3-510A-00000000D401}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396829Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:40.292{7F1C7D0B-0728-60E3-510A-00000000D401}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396859Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:41.948{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9357AF3FCF70375CD5A1A10E87B417CC,SHA256=206BBE1196288BA788577AE9F49CB6282F5AFA911CA904344B353F4FD6B4B4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451624Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:41.414{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D58573719BD7F0B5917995C04165B6,SHA256=EAD541C4A21D08BA90F6493EA76121E0FF5C3EDCA4F7A96FD6FA0F4ED69DAAA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396858Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:39.393{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53824-false10.0.1.12-8000- 23542300x80000000000000001451625Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:42.446{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739BDCEF7272F63D59AA0BC2B0340714,SHA256=D8714B32D0AD311749D9E56760785CBE0F5DCB53B7A2B9DFC0D5ECFB5F378126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396860Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:42.198{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37D4DC9D44455F7EE653ACE7365BA5E0,SHA256=EAEF2BB6C8D3B426B3F886C0E934526DDBAE8CFBDE69A074A53A8973E2DB0D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451626Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:43.461{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B81E3302C4B951CC68976B0845F830,SHA256=E414264302DDACDB667EE59E73D2E686A4A16DA6228414F1B5A143E3AD5D0E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396861Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:43.057{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C7C5CE72E101BA6DA1B80326BFA8A2,SHA256=ED72C3D353470224C0B2049654A30CD3FA754ACE90E4832EFA3EFC6598F22032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451627Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:44.491{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38797AC8BA9C4132AC831960D0525995,SHA256=39566CC2CF8FB8CF3679AF8247AF60788C36E08FC91C7DBBAF0ABD6D141378D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396862Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:44.057{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7087876A29563D676A1631AD6FD8B4F7,SHA256=842C37147202247B3CA435B9F8CB8FEAE2DE78C58B07ABF637B5FBFAAC1C8540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451628Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:45.544{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FC694521909C6E43ED710047760A04,SHA256=61C2FA9112C7046F64185A7614FD79506FD3F8E0531453BC4502693ED14CE45C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396863Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:45.073{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7568D84A8267376A97DB1077916B9C17,SHA256=7BDE29FA2E5B69BB5E48AA40A0E305E5C52E268D85088C307836765ACBF2E38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451629Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:46.559{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20298211607B273B928C49B63D84D70E,SHA256=C38B7AC2AACDCB472F00EF1BA53C86241B8CD87D4FDF3C88129D28D3833E856F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396864Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:46.073{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8310BDF5BDA39BABE749DDB0168961A,SHA256=A4F71B9F7EA0B69DAD5DA93474EE6374C5A2D4ABD7F9716CB2EC8D7FD60BF7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451633Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:47.574{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9848186D408A0E621793D611759E9D1,SHA256=11B376A1F50942B92141A08D6FFC8C1A7CE6EA7D2A0913E86E45F7A2D6D71682,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396866Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:45.393{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53825-false10.0.1.12-8000- 23542300x8000000000000000396865Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:47.073{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55711E6C958CD38B9A3EBAC1F030FC3,SHA256=31B3CAF2DB27A0D78106C0CCF8EE834FAFC574C23ED6E62F33D3FB4A5D5F59E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451632Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:47.374{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1731189FE0B524B8CD338FFF3FC905AE,SHA256=E5CB89450689CC1D83DD73CCF4DCB75787466819D82F5D912D9969C33BB89644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451631Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:47.374{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EDAC0DA4B9C985DB2538855975D87FC,SHA256=F4EA9E846650380E690C341F557C46167401D268AD8B3FDE518E56506354F0A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451630Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:44.696{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54456-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451635Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:48.588{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0EE0261A10F875FA480C95D5246D880,SHA256=0653B542030DD20EB10D7789444B61235AE9073F5DF66092E3E180791DAD5142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396867Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:48.088{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1E33481BF013DB6E96C6237EF36265,SHA256=836CCF2FC6C56074C79E65DD1B364933C1671B0ADC278B1DBBC4255E75DC6CDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451634Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:45.317{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-56111-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001451636Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:49.605{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D511106EA40BA871030102803DE1F9,SHA256=80B022FBF8F18DC00A4D1CD6D38EB9F69D3EBD51D3BA3A4BEFF67C58327F3351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396868Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:49.088{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1E654F53D4F30EA713351254EC7229,SHA256=BD833614B1E86F5FD649197D8F37D9E01F449D79B90EFAF2468433E346B090DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451637Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:50.623{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE1A50D8CC23D3D675410EE6B4DA92A,SHA256=0669ADDCEBDC2838BBBFFC59CC945377EF6CB19B079FF35671C390CCA005FED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396869Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:50.088{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB4A94CC769ACEAEBE7B3B8EF751F62,SHA256=7BD181E8BAD098FB9DC2B8028A46ACA900230199ED56619BAFF04D129F372764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451638Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:51.638{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988ECC42700C841C5B094D7A7A2EA40D,SHA256=2E3DF39E1D46ED9E13989DF0CE187614D32E97352529A87DAEFFA59DC406018F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396871Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:50.393{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53826-false10.0.1.12-8000- 23542300x8000000000000000396870Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:51.104{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A824D5DB1E8A8E0548F42AF6F97838C6,SHA256=E657FA750B9CF700F382B0499CD57CF22F07838B1A74568B3C9F3337D9F60EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451639Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:52.668{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E65EFD57438A904125A8C080E08A9BC,SHA256=0C0E99EB5DE3EC19B7FA9B74AAC68247C31F29EC478C20D3F0F99A72B46C4855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396872Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:52.104{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A65BA48E1AC550535ED67658E4C8FA8,SHA256=E0CBED365B25BBDC804E3C8EDC198FD417D835522F8CE3BE2B7E75D22457A160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451641Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:53.683{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1146F7894F11C22E0C2A1AC502A7DD6C,SHA256=5EE786D7B5D2605B63CE7E5A51B35C39CCB7DC1088AF5A61398D55023661D209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396873Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:53.104{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD58876F09BE68CA9C96CA0B45BA34C2,SHA256=9FF707BC0E4B6EF7C157FA334F54F286428A532C3670769A87F811BD8083D2E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451640Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:50.675{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54457-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451642Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:54.699{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97FD67AB66FCB6291A4DAFB32449906D,SHA256=7E542BB48C30DAD2A456BE86DE81A5B7CEF5CED9E712B7E7CFA8979A8E5796D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396874Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:54.135{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBA844D1E5E47D325AD43E2B6B5506B,SHA256=BCFF9B3E462F331FADB1ACF4BFA8B8381EB7D26B312BB114CBEB246AD05FD358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451648Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:55.718{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC530B08DECD62EEDA208843EEA2A1C,SHA256=8637E69252525371C212D16866344B6734589987D43A1DC5AAC2FDB8D01C3DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396875Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:55.166{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6AA4D65C45E1A60A1AB6008D976BB07,SHA256=C324EAAD822D08F584D4335CECDB4E9DC21D2AC2EC66CD5E04922C433DC54974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451647Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:55.534{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=101CE3B8FBA9B264931E966284FFBC5F,SHA256=58E97215819F205F057D9884FEEB1C5446DDBA1D9D139F99A6C9950426B5FE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451646Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:55.534{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=EC22FBB6AA665299D6C1F5E04A09A761,SHA256=BBDDAFD07F7D461846C8BE21249693A426739AF55E9F0F949DA3F67813A1FA80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451645Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:55.534{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=C4AFDA842913B39BD657BB3FAC850B25,SHA256=3991DA6D564665DD221759301AF2E04057118585CEC61855B7B3E1C9802D02F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451644Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:55.534{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=03C854D7B8DC95994AE821196F4E558D,SHA256=33EE48A6EFA37175C70909C3FB9A289C350DC8EAF41C1F7466B5B16F94146A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451643Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:55.534{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=C998C94D41A7B14A657F3EB0A2DB06D8,SHA256=40EF0EDFE143A330965DDA67D440023A5EC9805C7F092DF0B4E16A50EA60FAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451649Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:56.880{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47242562EE1281DEC4341544B7297A1,SHA256=DCB0132263D66CA7A861A6EF590B45F3CF5FAA1BC7C41246B2253199C293750A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396880Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:56.823{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D78951BCF2511320D99D34248232512,SHA256=D564D7DE4601396D39B82376177656D673F12E9F6A22E5C03B10BBA714157AAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396879Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:56.823{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=025D47C1C7ABAE5761DCBB2CDB6AF5B1,SHA256=89756032F60D519B11F786C1EFE4016A37174E9704EB488E3860F7B8F73EE308,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396878Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:55.718{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-55269-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000396877Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:55.440{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53827-false10.0.1.12-8000- 23542300x8000000000000000396876Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:56.198{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC22BF208B879BA6B80C658718969475,SHA256=F3E8034D3C1388BAB1B7745587B4253D2C083AA38D862FF1F0E31EB197F72A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451650Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:57.896{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3F35769072FD65D7299A03FF5C8BD4,SHA256=9D964199378528FD3A865EC27944A866DBAA7B7AAA9E280D5E9CC0B4EC8C2056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396881Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:57.213{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D5C092FE5D2E825A0577655D8ED4FFF,SHA256=3C30D166488E13936631EF9D52C9D1EAD8C34DD0650D3E771B1F648D86A50321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451651Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:58.915{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6EBB7F8B897EA1842606E80578069D,SHA256=CC81421D98FD26E6450EE9114C707D4E3FF74F2A9DCB3549904EFDE7ADF811D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396882Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:58.213{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37617CDE4B655F2DC084C411253F9DDA,SHA256=6E33EF41420098D8F253F2DCDF719269517B1AF5E0AD72B27F7263EB362928F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451670Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.961{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB23B2A601B3F6F8BDDD013186188C1B,SHA256=53CCDBAE6FB24DFE54E19F7F512E7ECF2679EF27A0CA73AA3EA7B75C6E7FEA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396883Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:20:59.213{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3E95AB1771974628CA692A1F52A5A1,SHA256=7F7B9941DBC696CA08AF12DA036F8F3E5E1EFC12AD68BE6D9F4DDEB49CE516FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451669Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.776{D694AEB8-073B-60E3-DE0A-00000000D301}47084804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451668Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.629{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-073B-60E3-DE0A-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451667Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.629{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451666Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.629{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451665Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.629{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451664Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.629{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451663Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.629{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-073B-60E3-DE0A-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451662Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.629{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-073B-60E3-DE0A-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451661Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.630{D694AEB8-073B-60E3-DE0A-00000000D301}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001451660Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:56.700{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54458-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001451659Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.046{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-073B-60E3-DD0A-00000000D301}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451658Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.046{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451657Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.046{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451656Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.046{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451655Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.046{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451654Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.046{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-073B-60E3-DD0A-00000000D301}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451653Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.046{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-073B-60E3-DD0A-00000000D301}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451652Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:20:59.047{D694AEB8-073B-60E3-DD0A-00000000D301}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451681Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:00.961{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B40E0214EED5C7B69045B392443D1BE,SHA256=5D8624D3438CE9D517FED8D2E9DB22B09059670E779601F58C3C939822B238AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396884Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:00.213{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB380356496650336134EBC3630279B,SHA256=732C7DC89D509A1222E35CBAB17F479DFA396AC2E24A15A7856AB50052172531,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451680Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:00.161{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-073C-60E3-DF0A-00000000D301}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451679Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:00.161{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451678Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:00.161{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451677Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:00.161{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451676Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:00.161{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451675Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:00.161{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-073C-60E3-DF0A-00000000D301}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451674Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:00.161{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-073C-60E3-DF0A-00000000D301}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451673Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:00.163{D694AEB8-073C-60E3-DF0A-00000000D301}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451672Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:00.076{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EC3A7BF05DF30BC35867C1D115DEA0D,SHA256=DEADC338BABA3D10DD09C9A2BA4A2E2DF8E11CB0E613406C3A3413B424C41133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451671Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:00.076{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1731189FE0B524B8CD338FFF3FC905AE,SHA256=E5CB89450689CC1D83DD73CCF4DCB75787466819D82F5D912D9969C33BB89644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451683Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:01.976{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A71870C26F1B677531AD329153E87FAC,SHA256=3D505BEC3F04017E409441382ECAB91005E40C3B9810AEC15564433F98E9F836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396885Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:01.229{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432D162853ED55DC52082F3E9980CB9F,SHA256=D76DE6ED0C3A88CBC497CDF6BD6B9A5D832F2CAACCBC60B9D89CF1EC0FA97726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451682Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:01.177{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EC3A7BF05DF30BC35867C1D115DEA0D,SHA256=DEADC338BABA3D10DD09C9A2BA4A2E2DF8E11CB0E613406C3A3413B424C41133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451692Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:02.996{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DB22F865356E56C6C096208A240E89,SHA256=7D0209DA42579A4ABBD712FDD2F0F0291DDDBC08EF9F8906112211C5F077D9F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396887Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:00.455{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53828-false10.0.1.12-8000- 23542300x8000000000000000396886Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:02.244{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6984A91AA7C1673CE349C4FC8DCBC3E2,SHA256=121B4F9D0C395B6B75E9E11C3B18DC98CEC7933CBBDFDECAFE4C386447C6D68C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451691Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:02.912{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-073E-60E3-E00A-00000000D301}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451690Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:02.912{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451689Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:02.912{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451688Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:02.912{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451687Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:02.912{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451686Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:02.912{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-073E-60E3-E00A-00000000D301}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451685Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:02.912{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-073E-60E3-E00A-00000000D301}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451684Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:02.913{D694AEB8-073E-60E3-E00A-00000000D301}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396888Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:03.244{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C996FFEFD0E264EB2B7E0BAD413947,SHA256=7FE34E5E815A053CEB30E4498250D2DD267564FB3803CAC8BD821C29E2D2AD11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451703Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:03.994{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB19E891B613C909DDB03FD2A63D401D,SHA256=2ED3CAD429867BE6F8B55A4B0CF23DE500179E22C57FE5103695044C7E69A724,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451702Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:03.727{D694AEB8-073F-60E3-E10A-00000000D301}1723328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451701Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:03.594{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-073F-60E3-E10A-00000000D301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451700Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:03.593{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451699Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:03.592{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451698Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:03.592{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451697Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:03.592{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451696Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:03.592{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-073F-60E3-E10A-00000000D301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451695Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:03.592{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-073F-60E3-E10A-00000000D301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451694Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:03.590{D694AEB8-073F-60E3-E10A-00000000D301}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001451693Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:03.075{D694AEB8-073E-60E3-E00A-00000000D301}52324232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000396889Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:04.244{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A81C8017E2B4FA39636DACE5BC6465E,SHA256=BA229844814BBF547D37C7E2B0368EFB483E1C6BB6CB00C8B2EFBB5C8CACE2CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451722Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.910{D694AEB8-0740-60E3-E30A-00000000D301}50883556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451721Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.773{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0740-60E3-E30A-00000000D301}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451720Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.773{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451719Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.773{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451718Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.773{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451717Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.773{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451716Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.773{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0740-60E3-E30A-00000000D301}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451715Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.773{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0740-60E3-E30A-00000000D301}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451714Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.774{D694AEB8-0740-60E3-E30A-00000000D301}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001451713Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:02.464{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54459-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001451712Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.095{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0740-60E3-E20A-00000000D301}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451711Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.094{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451710Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.094{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451709Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.094{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451708Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.093{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451707Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.093{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0740-60E3-E20A-00000000D301}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451706Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.093{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0740-60E3-E20A-00000000D301}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451705Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.092{D694AEB8-0740-60E3-E20A-00000000D301}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451704Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:04.042{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA762871E0DBDE4C6A00804096E9382,SHA256=8B722474239394833EC60F043536093C07492B9BCF0FFD5A757E01BA857715E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396890Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:05.244{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21223067DAEAA18A52C6A2993912D1D,SHA256=22138742066F8719364B20C7F86E27902169FE7AB3C703302C77D4DA5A1505CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451724Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:05.110{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5791C7E9C893A5E03C2001EC6FB8262,SHA256=715E1F78629EC5802852E63A3AA8B0D5509B4069904FE4919FCB224F53194053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451723Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:05.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A74F382339B2181CE94270F452955CD,SHA256=02467983FAC214007004DA7487C307A981D1DDC6BB9C74087DA1750FBDC25CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396891Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:06.244{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE59349639E4BC74C477C21BEB1ED2E,SHA256=B8F41D6431E8A71DD59904BE2B63CEB85256EFCC0F293F033276F522013CCCAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451727Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:03.242{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54460-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001451726Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:03.242{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54460-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001451725Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:06.072{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A1CDF961CE78F879E75BCA5D64B860,SHA256=5553DA85615654CEF3DF052B427FD87D8FDE3E04DF9F60FEE8FF2A219E848878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396892Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:07.260{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5FEA8AC20E040FC8D1C0C2636A6CFC,SHA256=C03D09E2D214135792209999D35F4E03FA8323ECF9DE7CEF630E5D302885F193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451728Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:07.089{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79C0DA4B3C985978F3659615A85FF56,SHA256=BEE23263013C9FA354A9F95ED27CEF17AAB89D3D9806B22110A99EA9C0834CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396894Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:08.385{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E1A385B8AEE1896EA45FD5F3DED1B5,SHA256=2BD9FC44641E9E8A33C31838F4C8B029C0AF37520A04235BB66FD0B21C9881F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451729Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:08.107{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA4BE8BFBE8E2CA280EEB2603E5A845,SHA256=C473967CC3A9DD7227E9B5971C29A46552E6B93937E1FF0C79094A8988C472D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396893Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:06.440{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53829-false10.0.1.12-8000- 23542300x8000000000000000396895Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:09.416{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5536D698ACD766DE77AFDA0E2BA2998,SHA256=9C962443ED8B2CE0B0AD35ADD2B4D811A53BFAB64AE196BE1B2B2F87480E65F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451731Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:07.706{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54461-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451730Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:09.122{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6F44F929C071DC9411FF49C1752080,SHA256=5FC27FBF38453FFEF5F50376FB759E0F2BD6CB368D03B565044C26CB5DC71601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396896Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:10.463{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D976CF94D65752C4D2D61B609D0982DC,SHA256=EE3E6098B255EFBB83953537A69155F0AAFD49F96A13364F8DBCEB9B3F193235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451732Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:10.136{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29FB5C8AEFA3EBFEC7B051DDA81735C,SHA256=23FFAAC1817E4E67318C0D9C44E645479D1DA4F997BF434CA32E15290D0F130E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396897Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:11.698{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2134911124115A3E3E10F84B2CF80326,SHA256=178B1B5FD28282F4271D7522ADE4BAA4A5853050B63912157E830A41E58B1AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451733Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:11.146{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43E754136AE9A514BC138917DC95DD5,SHA256=910232117DCE86B7C065AEA302781111257E736ED839733E7C9CF268191CB1A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396898Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:12.729{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF5E2ED5E9DAF9245AC16951DDEEA8D,SHA256=38A8C442AA8E08E5CE36A263EA32EA07C04B426C506F6EB55AAD5CDDA8BE23A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451734Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:12.161{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA22591B9109926B04E88E30D98761FD,SHA256=09CD6C2F8202E361229A4FD5D766EDFC8F7B2C149DC56F05CF145F9107F5296C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396900Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:12.222{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53830-false10.0.1.12-8000- 23542300x8000000000000000396899Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:13.729{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845A5D3C3BEE9C2F030DC29C0295A2C6,SHA256=F66836F6EA9EDAB6A657F32DEB34EA47646EA7529BADE9DB6633ABC0E07A41CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451735Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:13.175{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C091DC982C2C50D98517E9C694A60CC,SHA256=204CA2C2AA1730A0F0DE6DFE02EF82101C3442030DDDBE2B0EDC60BFDE952130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396901Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:14.729{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9990040562505344704E52774DCFB4,SHA256=E9D4F9388E8B3ACF917AA110C311FA7EE1F08171DB27441610BE65649487E86E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451736Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:14.192{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A6EDB11F3694C89635A948E2BCED03,SHA256=8306D4781E7778DBFF6D34B442A6A4CD2DF3656C44BE765F5458193D3E5A3D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396902Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:15.729{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D4D21B89E64A92DCCE532A83056CFE,SHA256=5B0EDE47DD780969364D9E2615A4984B1C3A386A54303666F831E1672D89565F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451738Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:13.511{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54462-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451737Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:15.210{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18BE99DD1847F2D98286437B9C5B4065,SHA256=532544F9489E23187CAAE356D5A2825769D8125A4A67C9603339C83532129A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396903Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:16.729{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212C41538539456BF4D42B7F57193D44,SHA256=33F8C4650CCB9C4A36BE7336D2583B6B72FB3670B38558F571F4806EB92C640A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451739Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:16.225{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746497502BC378A4303CA310FDC578B3,SHA256=8F644EBD5B4C37663E403E686E1B761367B58F359518811393973C4C881D2259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396904Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:17.729{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C033798F7F055ABDA4FEF063A2702C1C,SHA256=79CCC442A5FDB6312238144891E4CB26EC63D7A45A87480732FAB988133C4D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451740Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:17.240{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45E1DF2821791CDEC274415F0E4A5C6,SHA256=D011C4ABB4A4D361FA97590FF33948EFD095F7723E8A40206D09C01993192D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396905Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:18.729{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71B09EA858BD0531C40ADCE63B144CA,SHA256=4E521C83F350AFB02EA6CEEDF6403A337B07E6FCB93792E02599C9A6BB376251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451741Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:18.254{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246A78B8C901CCD83E7D589E03E68770,SHA256=A31D96D319031CD36B38A84486C68BF6F1CCA63165F4EEDFBF785D2BEEA71B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396906Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:19.729{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC104669C9661ECA8AA7303AF2DCE63C,SHA256=CAED5A408CF5A8AF96D6606A042D93FB581319E9E9A26CCBCFF88A8F305870B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451742Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:19.286{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865760E711AA7F41DB2384941C3A652B,SHA256=6E683180B6EC798968C568E1458FAD6AA405FFA99D3C13CCCDFE8FE3093D5D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396908Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:20.729{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C4D857EC60C7419C41121E45AA3994,SHA256=5B37E4C5CB7EEF61A57089AB1B5D246BCA5D2E96D853636A9774288F6854DA9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451747Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:18.537{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54463-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x80000000000000001451746Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:21:20.420{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001451745Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:21:20.420{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001451744Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:21:20.420{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 23542300x80000000000000001451743Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:20.305{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013EBA432803C53F9E3B44F6FFEFFB8D,SHA256=323B13C1AEB4D4675FBB8DB6C219495E599A15A71DCA548631BACBC75A1ECD85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396907Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:17.440{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53831-false10.0.1.12-8000- 23542300x8000000000000000396909Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:21.741{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3796CF87CB8FF850657FAC09D9281C,SHA256=8F25A425823D3AB4929A2AAF51545C19E0A3B70E7AF45F6013A9E0A072DF663E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451757Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:19.892{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54466-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001451756Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:19.892{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54466-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001451755Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:19.886{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54465-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001451754Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:19.886{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54465-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001451753Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:19.874{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54464-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001451752Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:19.874{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54464-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001451751Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:21.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96DF9B2CCEEE80C7A8D69A7F6E0D063E,SHA256=79625DFED3516F46739E8DB07449A41AB0393AA3D2E2D9354A673DA01F69CD3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451750Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:21.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F330E8C03A08DE960B554DB459CF5947,SHA256=EF0C1AC26370FA4708029AEA9BBA39D9312573AAE47455F53B2467102702101E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451749Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:21.319{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F67E3D82E52749D87F598B7B6637E0,SHA256=6BE1DD90B985AD0E36DE23DE2B4801A6E147A0156EC6385DCCF6D8ADCEA8B1F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451748Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:21.235{D694AEB8-B3E8-60E2-0B00-00000000D301}6565876C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000396910Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:22.744{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79487EA37A07D10BE2B2FB2808FE720C,SHA256=E46D875502760E3E8725E0B9CA37E609620CF1B6527F9042DADE391A2F2A52E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451764Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:20.691{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54469-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001451763Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:20.691{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54469-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 23542300x80000000000000001451762Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:22.350{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC9C3FECEC9CAA086F0A01BAF424E3D,SHA256=19054E5099BD9F81BC29E2EAA1C2D9BB49B3CD15BFB7131791E283B736DA55D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451761Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:20.581{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local54468-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001451760Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:20.581{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54468-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001451759Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:20.575{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54467-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001451758Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:20.575{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54467-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 23542300x8000000000000000396911Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:23.744{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752E66AF623640C441DB11138E7C3332,SHA256=E5AA192DE82CC4D7AAC751BDCA3D3C45C2417B7162AF83263A38627E3D4E2C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451765Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:23.365{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2E5BD9ABBB8D5059807CD8DF5A064E,SHA256=F0373808C2CCE48F022D8C5B5142F3E1B8902796DF21425029211252A3992B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396912Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:24.744{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD87BE7E1A666EDD72121428E120052,SHA256=FF77B4F62879177BA89D67A4F505BB59B459CABB1FD82DDF2746AB8B38B71344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451766Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:24.382{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85962649BFE721CCB7BF35E7CE9274B,SHA256=AB03B6D5067747D0CA2089ADCB516BC14621714E87099333BBD48BA1850AF0B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396914Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:25.744{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8A46732F93A0DDFD5647D5FB18C1FA,SHA256=8F482F5A7E4075935F66E7497435C205CB618FAC991E968365CC71AE1E0B7852,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451768Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:23.631{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54470-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451767Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:25.400{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1E936BA215455ED2D73225A1B54A24,SHA256=E8B455A4870033F738ECE5FB79B30BFB0BA969E5F0F112D83812E6D25F90AFA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396913Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:23.439{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53832-false10.0.1.12-8000- 23542300x80000000000000001451769Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:26.414{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A1910DB9DE6741FFE2AA8A297BE6B8,SHA256=530448BE24FA5DC837A349C70CCB667F1DA8A62A25F5B92944F29FD304DEB9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396916Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:26.759{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB10C2E8D4B4B6E556745E98800E476,SHA256=8C9D895CD3837C04DC9AB68049898FE4CEDA095731C953301D72554201815528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396915Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:26.291{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=200DB5390A700FBF1805DE33B789A822,SHA256=31D122E3ABC7270D863AD7019B202CB2CF7026B2DF81D2B3B358CE8972670BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396917Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:27.759{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F737ED7D1A4DFD5523C1FC1159BA4693,SHA256=52BC1287CECB49CE3BA24D1BB5A1B3CBAC7A23AE17D7B0673338CA4F2C591A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451770Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:27.428{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BBCF4EA93D86CBE50CDDAABFF067F0,SHA256=AA26C87A01454CFCC58A7DC1800153C5C6BD6D4619F8E4960D427546FF671BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396918Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:28.759{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DA8450416D28C119E32889998BF6BC,SHA256=BEE1A0C53C6362D0845F3CBBB648DF64CFF44BF0CD00E12D4036067BEC72AF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451771Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:28.443{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B96690E2848A3854F5A22941B5DFC77,SHA256=781B7045F8991BD06DE8B4A774B633EE5C178F567948CD9F102D1FC7FF690E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396919Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:29.759{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6625E3213DA44EAB05DF8603B12229D,SHA256=2AF4CF21A623481C7FBD2E30F36081C440C2349B8374DF5B64F9C4F8B65C0620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451772Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:29.457{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924F489BC2E7059C99FEB7D512063EC4,SHA256=D29F302FCAEF46BDEED59D7A7273D505E24968920AE8869673C36BE3AD5CDF62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396920Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:30.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3ABB3FDB9785D223B72D57725E3E40,SHA256=6F89F7F88BA09106FA4B1FE3AA7A5FC5393E654C9F0B2464430833D7E0B04160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451774Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:30.476{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EA3CEEAC7D754DFAB6DC7668D8D29A,SHA256=22B95DB3003E4887811236EF18A065ED2E73B329673D4EEA8EE9F488C98DC158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451773Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:30.326{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396923Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:31.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8886CA32A4DAC7D5C6634A7EFC5112,SHA256=258ADC9CE7FF48B5EB2CCDD6C0A6370DDE239622175B5D036A135F0447EFC14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451775Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:31.493{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7868F00F4EF3157D038FAD76438CB7,SHA256=CA2070F0C0C33B7734EC9818D4931F5FB46EEF5056FE55C09189B158E7511756,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396922Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:28.439{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53833-false10.0.1.12-8000- 23542300x8000000000000000396921Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:31.025{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396924Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:32.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E963528D4018B85CE2E92E045896600B,SHA256=7A7F61CD097F567E7660E4273A46FFB13C08B5326500363E89409DAD39567203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451778Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:32.493{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B30313A92ECB144B1E3B19D207BDCF,SHA256=73160B0B2B34B2E67AA9E87C7C54487CF22A02B0F6B0EE413C0CDDD2B312A367,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451777Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:29.762{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54472-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001451776Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:29.647{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54471-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000396926Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:33.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EB7B41797870D1BFA3FD1C7B331C98,SHA256=2A2D65273526ADD1CE037F7B813C2FEAA49B14D0E0ACE3634EAE461E0929C258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451782Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:33.892{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=48A8F65A9337E18659AB046945BA6A1B,SHA256=46AC95AB5D847A4B7E61A9F1AE416B7BF44A572526E520CD5BC0D155225C2FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451781Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:33.508{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E1D074C01AF22635B53B84A14E0329,SHA256=B90B828D5208534F29500F6CFC7B6F9D247770B9CD416BC498EB03624C14D44A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396925Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:31.205{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53834-false10.0.1.12-8089- 23542300x80000000000000001451780Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:33.009{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A802D5F51C856FC69B27EEA23EEDCC2,SHA256=4E90A0F0FD23769DB038FFE0C00C8E53BE64273D232A2F7489E62C722CEECBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451779Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:33.009{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96DF9B2CCEEE80C7A8D69A7F6E0D063E,SHA256=79625DFED3516F46739E8DB07449A41AB0393AA3D2E2D9354A673DA01F69CD3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396941Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.838{7F1C7D0B-075E-60E3-530A-00000000D401}30682332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000396940Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8838FB0902416CCA624938AEB07C07C5,SHA256=7247877D054CCA1028466C9D34B007A181EB00456E1A65FEB2696EF3B888859E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451783Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:34.522{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDE03730EFFB04D3300C586BB2E54FC,SHA256=1EDB73E339C8A83C3FB0F1F48D99DA474567B67EFAD13961AF2DDF5FD84D5A31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396939Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.634{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-075E-60E3-530A-00000000D401}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396938Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396937Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396936Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396935Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396934Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396933Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396932Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396931Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396930Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396929Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.634{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-075E-60E3-530A-00000000D401}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396928Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.634{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-075E-60E3-530A-00000000D401}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396927Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.635{7F1C7D0B-075E-60E3-530A-00000000D401}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396971Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.806{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36A5A7517E2FA575A3C32013E2B3349,SHA256=A33914BD9B076003C1C7149DF4B9FEDA6FE7D98FBD049525F4E9B5CE4887ED39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000396970Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.806{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-075F-60E3-550A-00000000D401}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396969Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.806{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396968Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.806{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396967Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.806{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396966Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.806{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396965Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.806{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396964Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.806{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396963Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.806{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396962Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.806{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396961Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.806{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396960Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.806{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-075F-60E3-550A-00000000D401}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396959Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.806{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-075F-60E3-550A-00000000D401}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396958Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.807{7F1C7D0B-075F-60E3-550A-00000000D401}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451784Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:35.537{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A363C864ECA81A620FA2E0E19DD19578,SHA256=CE715425F6006F3402C580246E3E577B9E2839B94084CEEB1BEF44D8EE793011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396957Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.775{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60BF2EDCC9ED38B803B31DD2BB049B31,SHA256=1999EA4EEE7CB76B3796CD2DCDE97DB7331FA00845B969F3502EFD1B82F66DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396956Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.775{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D78951BCF2511320D99D34248232512,SHA256=D564D7DE4601396D39B82376177656D673F12E9F6A22E5C03B10BBA714157AAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000396955Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:34.221{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53835-false10.0.1.12-8000- 10341000x8000000000000000396954Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.306{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-075F-60E3-540A-00000000D401}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396953Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.306{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396952Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.306{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396951Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.306{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396950Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.306{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396949Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.306{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396948Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.306{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396947Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.306{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396946Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.306{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396945Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.306{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-075F-60E3-540A-00000000D401}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396944Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.306{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396943Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.306{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-075F-60E3-540A-00000000D401}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396942Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:35.308{7F1C7D0B-075F-60E3-540A-00000000D401}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000396973Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:36.853{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033599CBC8D5865D5A35D2D11D1F6E1C,SHA256=B550333CC7761FA579BB794BDBE3EF8F46A52664A6DA7DB20AB04D90E6978E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396972Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:36.853{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60BF2EDCC9ED38B803B31DD2BB049B31,SHA256=1999EA4EEE7CB76B3796CD2DCDE97DB7331FA00845B969F3502EFD1B82F66DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451785Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:36.551{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFDA0DC0B82C30F7F24FB602C49A447,SHA256=E67481B6184017254EAAA5FD9E5660462F75AE0C17E278F0DB8FFC24076C5EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396974Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:37.853{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8BDE4BEB7383DC20EC9C4CB0197F3F,SHA256=66E1B43A37F74AE4896E4BF0AC1DB77086B36C8A10D51AC7E328E30A7D1A7BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451786Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:37.588{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D1087B947D80EBE1F275BA92BE6C16,SHA256=E3D3D52E2EABFDB79BAFAB05EEE38C9646CF56FF4B083EF7A96C9F90FC68451B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000396975Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:38.869{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D01C0CE625DF61E299205B1A799FEC1,SHA256=8360FDCC286888A95A70A5A676045D31B1FF11A670758F169058ADBEB008717D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451788Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:38.602{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C41AC6E6136623E1F07DF60FB8CA43,SHA256=70C06EEC42B0A3AC66D60BEF1CBB29DEA93729AEABE3D0ACF31A1807A96D9638,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451787Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:35.672{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54473-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451789Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:39.632{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736AC06D1E3EF196FE234DCB1BA5E704,SHA256=07B22786F8880D05C3E9BFED21B1CB518C91244D0BA2F643CD6DFD9B7BAA39F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397003Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.837{7F1C7D0B-0763-60E3-570A-00000000D401}40403076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397002Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.603{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0763-60E3-570A-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397001Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397000Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396999Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396998Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396997Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396996Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396995Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396994Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396993Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396992Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.603{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0763-60E3-570A-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396991Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.603{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0763-60E3-570A-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396990Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.604{7F1C7D0B-0763-60E3-570A-00000000D401}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000396989Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.306{7F1C7D0B-0763-60E3-560A-00000000D401}18202364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396988Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.103{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0763-60E3-560A-00000000D401}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396987Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396986Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396985Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396984Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396983Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396982Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396981Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396980Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396979Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396978Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.103{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0763-60E3-560A-00000000D401}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000396977Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.103{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0763-60E3-560A-00000000D401}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000396976Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.104{7F1C7D0B-0763-60E3-560A-00000000D401}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451790Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:40.647{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA742FC8107D340C0A6521339D239394,SHA256=7FE96F49B6065DDB9DA6D1E4EAD310878EAD763714ECA06C16B1F1E0712F0F21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.603{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0764-60E3-590A-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397023Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.603{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397022Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.603{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0764-60E3-590A-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397021Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.603{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0764-60E3-590A-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397020Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.604{7F1C7D0B-0764-60E3-590A-00000000D401}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000397019Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.337{7F1C7D0B-0764-60E3-580A-00000000D401}13683504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397018Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1904DCEAA5CBA91AE214B896110CF8E,SHA256=3C146EAFF4F197BD9315035AE100034EB6F33CF892DB3C819908960B41E7828A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397017Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C7D42E30EE0C190714051723D81DC79,SHA256=D78A4794AA915F14EB735F967A21A91FC9692EEEF502E37DDFE862E6F1A7C5AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397016Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0764-60E3-580A-00000000D401}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397015Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397014Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397013Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397012Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397011Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397010Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397009Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397008Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397007Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397006Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0764-60E3-580A-00000000D401}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397005Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.103{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0764-60E3-580A-00000000D401}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397004Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:40.104{7F1C7D0B-0764-60E3-580A-00000000D401}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:41.275{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDB67B1528CCCC569DFDBA5EBFD4099,SHA256=18E0EB1EDBEC82F7D5C1696192247ACB888DF974E3F6C184BB90A50C16260311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451791Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:41.664{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B8EA73E9A82854E59FDAC43F90556A,SHA256=3F537BD4534449D74CA27F5517726F0F07AA0990A0023451D47B867AFC8F7723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:41.103{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=269EF7E9552FCA8BD70E250581BB6015,SHA256=338D890E81518912E73D7EB99DBF88A220E156504C3D42B307D9863A7675F7BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:39.408{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53836-false10.0.1.12-8000- 23542300x80000000000000001451792Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:42.683{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963785B12EDCEA65BD609D5746EBA6FF,SHA256=E50AD4289084EB82C107390E39419991514E6486D2819535CB5C40A1F60361D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:42.416{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68ACFDBB32DB3362D38DF51C7927BA9B,SHA256=0D02E5961DAAC3A1D448BA6749929A4E433C67F0A3353BFACF688BF863FAD9AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451801Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451800Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451799Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451798Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451797Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451796Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451795Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451794Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451793Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.698{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114CCC83728F83EB401E4ECAD9AF84B1,SHA256=FFE59199CF52C69D079DEC06DA277FB5C0D093B2D6EA35438293658EEBDD571F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:43.462{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48C6DC26C1BA20F5D82732E3D75AAC4,SHA256=44D16924CA4FD1ADFAF97F3601F6E06A2511351FD5BB21FBF9B6C195F856F0A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:44.462{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5609653C97E452FF10A4DAFB6E507C1,SHA256=D464E1F0453F93A8D28C79ABFDA42FF9C3E66CB391A10B8FDF4D5B193FE7ABF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451823Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:41.698{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54474-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001451822Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451821Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451820Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451819Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451818Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451817Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451816Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451815Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451814Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451813Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451812Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451811Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451810Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451809Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451808Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451807Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451806Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451805Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451804Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451803Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451802Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:43.997{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:45.462{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F00195C24FBB5FE956DABBA8A6F39E2,SHA256=19760253AC8B732AF337ADE2510303BA2CFA22261E59D58E382EB75BEA548EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451824Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:45.043{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48231B32607E6962367D2F379986C468,SHA256=02E03918BB0281FAD187F48283191D6C01902F0819A5AF327104A9A04F436E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:46.462{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F03703AC8E2EA20C162CFBF7798CEC,SHA256=D79334906A1BEA2FEBA4AA14CDF43A85DFFEFA624BF53DFE1F054A8988F24870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451825Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:46.060{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A810EEFA37EA72847E8AF7DB385E7EB,SHA256=DB641C55BD2C3C6F90E45A5B97CCFA71DE0D08DF272CBE086E9A3C0D2CA9F4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:47.681{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F961F2AED39BAFE4915577318BC9E38,SHA256=2538E88187AE045B59D26497BA099ADE87CA68C94A90EB32B44CA4928176DADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451826Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:47.078{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134EF44E20A0680FCAEA70A4D97FA8E8,SHA256=4BF9728F540BA936DEE12016AEFDD2EBF075BFF2C44F30DC6FBC910212DA1B12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:45.393{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53837-false10.0.1.12-8000- 23542300x8000000000000000397043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:48.775{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7902BD6768AA30FCE11F410871A3EA04,SHA256=E03209CA7014D2DED25DA0AF75D11E728A9E598F5B704A2F62B9B2E6E9B356FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451827Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:48.108{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CA87256926F0536C64A981363DAFAB,SHA256=7E5962F4985B614CBBF10CB258E06D297947744D8DDE8E593D7A2F52DF6C7C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:49.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37774E75F116211701C89BB77E512456,SHA256=EB0E313562A134B7E8A15FE904C8E54E3CFC633397A37303C00FEF3CCC90C8C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451829Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:47.707{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54475-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451828Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:49.123{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299588CCF385D45963C10D2932903E3C,SHA256=DFD611183EC03E8A97A38C4507AD52AD648BA9367CF99CEB0C9225265894B931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:50.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720D235BA37A349A0BBF446D9E5A43D5,SHA256=FA73E048A6A0E37059756352F0DF33EC28B2711B137AD6A473FB759322312289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451835Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:50.691{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=D1C885A24BF4EF9CD635E7CD75DEE2E4,SHA256=DF18CB2BB7E53005E8EF2419655C78380F69A3A47DCE5D8C3C72C23071D763B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451834Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:50.691{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=4C8D137B118173F6AA26B7E3CA6E4862,SHA256=D66CC457B92EDA17305923F39126725D0B16290B251A02497AB144DD2AEAC3D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451833Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:50.691{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=920F969B44378AC5B137728BC11D1BCA,SHA256=48B9EF6DA13846EBF0DFD3A086E5EEA929EE503B5CB19D518A5B080FC70F1BD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451832Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:50.691{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=A17450FF5D3BCC856FEC2F0FE0DC297C,SHA256=9E2059BBEB6470B11CE72A6C5909E8CDFF8BB0CEFEF3762AEF12BF9D9DA8BFCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451831Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:50.691{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=A6AFF087ABE09F5276FF3E066DD83F4C,SHA256=40C54C328563BC3CD437CBACEFC0F69140CC2061D8AA68A81313373E9182DA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451830Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:50.138{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D658BDF973356ED17737201D088C90,SHA256=061409DC2903FE791CB5E8829F48EE8EA6EBF78E231AF2059870D97B0E621161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:51.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CAC941D22544B15DE40394EAACA3124,SHA256=0504EFCD2F8C9C45FC64C739406442458EB89C7348D545F7E343566BBD264F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451836Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:51.157{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D17312C043D242FC2C7B1392D7D058,SHA256=B74CFCB3F8761BF309A33652674BD4226314FB46E40BCE0B95C74D5012DA0750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:52.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11086B66E31446FACB9C906FD9932F6,SHA256=44882369CE642F25972A0D63AC165DAFF549C482EFB24FFCADA702BCD847C8F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451837Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:52.175{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835F6F604C5A74AA6F0B715CF565A0FB,SHA256=D197479DEB25B89E73D01CE1198E7259D812EFFA83F4A81D15EFED88C4EED872,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:50.393{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53838-false10.0.1.12-8000- 23542300x8000000000000000397049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:53.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99EB7009C83A265A4E825093B3CF46A2,SHA256=2B16677BDD9817DBEABEA9BA47204399EBBC1A48E1941FD08371CDA76D526439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451838Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:53.205{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D5E6932DE6EB0496BCEB9D2ECE0A2E,SHA256=14E958B6DA49773791F19CD10F32D00953594DA1793F5371418CC3C725911CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:54.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBD9E982EF568F080D8F545B134C522,SHA256=63C16CB69840D40C27ABB5328105CB2BC47E50991579F311514A51E258A07E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451839Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:54.235{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55546776CCBE949051BFC451691A44B2,SHA256=F8B6502B92E86AEF8E0146723B051A8664E7BD10F2FBA0F25C8CC4DF4D138D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:55.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC088FD486DE5C3EC5DB3AFFEA60CD21,SHA256=91A4AB9ADEC1F1B5DF5F01EBA1C2EF5E9F0BE617FC05257372A8530B3DADA2E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451841Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:53.456{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54476-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451840Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:55.251{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108DBEC1C36BE37C615893FC520339D3,SHA256=FED92A1C483CD3269BAD061F6DBF0D424E946377C61B9BE9BEDA966E2DC1A86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:56.978{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66EE4ADA09EF2EF3652D4AD53C2570FC,SHA256=824A5905B918AE9E6316CA38C2CECC75438703CB3FD4204642921361554E1D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:56.978{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C98A333483D6F3ECCD13D5E0D5EB18BB,SHA256=86625F0E82A53ED13E0587301B4F648EB0AAE7949C937278DCC38B2140593F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:56.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7C821F5D98105A2CF198FBD2F3F8A4,SHA256=6CFC9C3C50606A5F30C1BED262283D9DB70B9D74A9A6533C65EF1B247238B7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451842Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:56.285{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA0DB469882B358B68597F0FA7D7F5F1,SHA256=02660EA4356DBD835BA542168857435B769A2B600428EDF5FA67A8472AADF756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:57.791{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0913BED32D02DB349A98856FA796053E,SHA256=C55FA4C7D1782E710A3CA7608DBC554A25A5F210919C52556C7E93CC7E573537,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:56.377{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53839-false10.0.1.12-8000- 354300x8000000000000000397055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:55.883{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-56507-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001451843Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:57.300{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB97EAD1A77278D282B3F2C2B53A3C3,SHA256=9B457C495DBFFF4F99A07F3E1CDE55E1245683DF9E07F209FCE628B5FE5C8A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:58.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9149916E2EFA2169BBDB47C8ED8095FA,SHA256=7C399F92E8802CC34E77A35E3FAA6379736C219E5BFEAD4228D53737F5B71911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451844Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:58.330{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99285E0FB1276290112F76128070A10B,SHA256=5C04DEC847AD38918A423C286A1D9E51E9FBD589FAFEFF28D71A8887749417AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:21:59.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661FDD5B8B1CE9AEEBE4CB2EDF3998E6,SHA256=4F2497225956E3D779FCBA1B72D95D3301C9392BFE412E3ECC8162DB93861614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451862Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.816{D694AEB8-0777-60E3-E50A-00000000D301}32606732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451861Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.632{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0777-60E3-E50A-00000000D301}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451860Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.632{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451859Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.632{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451858Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.632{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451857Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.632{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451856Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.632{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0777-60E3-E50A-00000000D301}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451855Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.632{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0777-60E3-E50A-00000000D301}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451854Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.633{D694AEB8-0777-60E3-E50A-00000000D301}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451853Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.330{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27AAE0AE8167926431A619EE295CFBB3,SHA256=018D94C10B4BAD98E14727A2633A3591709D005D928E159EFDBFD3EB6ECC163F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451852Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.049{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0777-60E3-E40A-00000000D301}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451851Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.048{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451850Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.048{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451849Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.047{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451848Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.047{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451847Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.047{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0777-60E3-E40A-00000000D301}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451846Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.047{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0777-60E3-E40A-00000000D301}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451845Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:59.045{D694AEB8-0777-60E3-E40A-00000000D301}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:00.822{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EF58A3E214B00A2F558850BCD599EC,SHA256=9DFD89BDF8606AE1FC9BC2889450FA2B135DD672B001E8EC4BF2293697B97C49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451874Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:21:58.650{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54477-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451873Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:00.333{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A279B593625291EB5001615E9941A326,SHA256=0E8563F9DBBEE100C8DD3BF08799C8B05E82F5D335E08EB84CD11ED568CB4268,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451872Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:00.301{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0778-60E3-E60A-00000000D301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451871Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:00.301{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451870Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:00.301{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451869Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:00.301{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451868Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:00.301{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451867Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:00.301{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0778-60E3-E60A-00000000D301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451866Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:00.301{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0778-60E3-E60A-00000000D301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451865Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:00.302{D694AEB8-0778-60E3-E60A-00000000D301}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451864Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:00.070{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B3D6C6C93A4417BBE3DF67786754EF0,SHA256=8B18DA2139E4A0B7FBB01B5DA03986D7BF9A2315ECE11D58C98D8B2736F8F0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451863Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:00.070{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A802D5F51C856FC69B27EEA23EEDCC2,SHA256=4E90A0F0FD23769DB038FFE0C00C8E53BE64273D232A2F7489E62C722CEECBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:01.837{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A18FFBC7000A5A03B026712F86BEA4,SHA256=59B086760EF9C680CE1F40D5014885D603D1551BD39790D0579038E8E0889DCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451879Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:01.931{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001451878Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:01.931{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451877Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:01.931{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1467e75.TMPMD5=7CC92A355EA66A219E3148903E63F654,SHA256=CDE288AC5D74287BFA2D9257B236405535586530C59E6CD093A4AD9FE7326A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451876Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:01.351{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0211DABA6C9488656067E699EFD1617,SHA256=51C5F2C14E52320506685CFA2E2B281E97C187B3BB5654BC92ED4121B9BB2491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451875Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:01.316{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B3D6C6C93A4417BBE3DF67786754EF0,SHA256=8B18DA2139E4A0B7FBB01B5DA03986D7BF9A2315ECE11D58C98D8B2736F8F0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:02.837{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EF2B2B2B6F6FCCC90D0D834CF42203,SHA256=5A34FCB6900F6601B3CE9293B018344EE0B7FD6194A8BAE304BD336C9AF13C15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451890Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:02.915{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-077A-60E3-E70A-00000000D301}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451889Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:02.915{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451888Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:02.915{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451887Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:02.915{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451886Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:02.915{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451885Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:02.915{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-077A-60E3-E70A-00000000D301}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451884Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:02.915{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-077A-60E3-E70A-00000000D301}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451883Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:02.915{D694AEB8-077A-60E3-E70A-00000000D301}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001451882Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:02.448{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\SiteSecurityServiceState.txt2021-06-30 11:32:16.412 23542300x80000000000000001451881Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:02.447{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\SiteSecurityServiceState.txtMD5=F163DF84C55C6D45DADD79F5CF1A651F,SHA256=D5BDBFA2F154BECF212FDF79C129EF31681C324458F6C779E5515A78BE72FCDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451880Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:02.368{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDDF65A2E3127B35E6BFFD8198FA779,SHA256=21D9E8EC233AD95FF4B9027F601C73BA46BDD1FA3102FDA29BA570CAAD0B618D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397064Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:02.362{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53840-false10.0.1.12-8000- 23542300x8000000000000000397063Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:03.838{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC39AE0BF4EA05002AF004EE1AD153E,SHA256=A4CADBBE9323233D2D992A7313D7824520551275F36A682B555D2F55B4B06B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451902Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.950{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF00609D4EB905B019501DC033AF0DE5,SHA256=D67AB484901B289F5B3ABC946C978CA7A91897080A48918436506181A23F1A5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451901Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.751{D694AEB8-077B-60E3-E80A-00000000D301}55161316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451900Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.599{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-077B-60E3-E80A-00000000D301}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451899Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.599{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451898Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.599{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451897Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.599{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451896Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.599{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451895Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.599{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-077B-60E3-E80A-00000000D301}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451894Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.599{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-077B-60E3-E80A-00000000D301}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451893Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.599{D694AEB8-077B-60E3-E80A-00000000D301}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451892Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.383{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E680C64928FC2EB395A1375C2C3E989,SHA256=E198B5F2F772C5621DF9A0FCA5A9051F91396A3F8FC68B13128DEE88B4C48174,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451891Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.068{D694AEB8-077A-60E3-E70A-00000000D301}60045700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397065Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:04.838{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE0CC2DC514B08EF47BD2D10E436237,SHA256=D60C0FB2E955B1E93DDC4FE87B1B8B1265344EE74A60E0278C2681BF4777BD62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451919Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.931{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-077C-60E3-EA0A-00000000D301}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451918Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.931{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451917Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.931{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451916Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.931{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451915Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.931{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451914Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.931{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-077C-60E3-EA0A-00000000D301}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451913Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.931{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-077C-60E3-EA0A-00000000D301}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451912Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.932{D694AEB8-077C-60E3-EA0A-00000000D301}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451911Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.385{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69906359765F818E4A898384FC5F5AF2,SHA256=65F11554F02B6001B3F2695C2071BFF4F8F296BA5A88A5E554B0837AA9511116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451910Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.268{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-077C-60E3-E90A-00000000D301}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451909Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.268{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451908Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.268{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451907Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.268{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451906Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.268{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451905Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.268{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-077C-60E3-E90A-00000000D301}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451904Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.268{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-077C-60E3-E90A-00000000D301}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451903Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.269{D694AEB8-077C-60E3-E90A-00000000D301}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397066Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:05.853{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473D520C59240451416B350366E8643A,SHA256=720FA4DC7D86BEFDCFAF5F8D115C002C871A0E2EEC207ADED025B4A989C9194C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451924Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.267{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54478-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001451923Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:03.266{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54478-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001451922Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:05.400{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D9A42ED09D9105F4753B60E7365359,SHA256=611084ED69C2D105E2B1D3ABA6A5B530C5BFAFDB0DEE8449BC18DB61C0D98CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451921Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:05.284{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D07510713B8CCADBF90C4F85F4161A9,SHA256=7F0C2D10BD5BEFD5A747502F60CA3FDE6744AFBDDE96A1394DE432DA026C1A75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451920Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:05.100{D694AEB8-077C-60E3-EA0A-00000000D301}50481076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397067Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:06.853{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9BF25C0CCBCA1B3F5094D2C6FFD61D,SHA256=C4088944527018519710A34B8F99FBF2566AA7DDDB83BD9DBE73FAAA217327FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451926Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:04.636{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54479-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451925Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:06.414{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C36727ED9D9EB01E0670D458055997,SHA256=66C60C6E1153F0FE987D524C4DD98F8212D291D57898DBE62F49E909C5D9D08F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397068Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:07.853{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B820EC3D96AC9A0F600F79982718DAE,SHA256=503965C8226302F350748EFD5C357BEAA4DFF7930DADF7EA3AC0983A9EC0D9C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451927Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:07.430{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C8D800B2706F4FB598539F5859E9F7,SHA256=C5804C93E9A7AD5FDFE1988B27ED6BDA6E607BA211246593357A175EA44670B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397069Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:08.916{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F0BD39FA9ABFA5455C7DBC8F6B914E,SHA256=7A30D37DDC010C543472329A43DCD434E5D520383CC3536377FD563AEB15E8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451928Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:08.447{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D2597794178F9CC6D2CF3D94C2ACF5,SHA256=BC3D74331D1CE5CDAE30B0F404AE1029418DFC40B3F44C5FCB4D23273BA3F7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397070Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:09.962{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2153AC6700DEF61E4F3796F204AC6E,SHA256=A6E16FD4834093A663FEFB46FFD043E8775360B8642A5A068C86904B7BBA5F54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451929Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:09.482{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFAC3650FB6EBD9B7074FD2A8772574,SHA256=048CDD406B065A661FA92F5BF91FDA9907346EA9C166DE3A8E8A961F54AACB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451930Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:10.528{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB2B7B127F795D6474EC3F7832972D6,SHA256=5AAF5417085181722B2783E3A304E28C81ED3D2618C44E004EAAF7BD2EBBBD57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397071Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:08.393{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53841-false10.0.1.12-8000- 23542300x80000000000000001451931Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:11.545{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=092C3FED781E8122107564CA4179526C,SHA256=3D34728E6C7D2DC78FCDB374F81A1A860FDEF63986EFCDC7A53A426BF1B577B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397072Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:11.119{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADBFA4F4CA73D9FDB2C32B605756C07E,SHA256=7102A8736D6775613E1BD7E0ACB2043095F8DA47E7E27D170D4FA52B8D1213E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451933Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:10.649{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54480-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451932Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:12.564{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4C07C846BDD07CAC1D57CBCCDF17EE,SHA256=FC85281BE87B5413BD7548CD4F742DDBF1F6E6E904E97A1D94EF72E07E0D2211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:12.119{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678A4F451C7C3DAB3527A28B6CDBD406,SHA256=5921BBA319CE1C41B1F26EE6B4C4BACFB52B1429CAD272BC9D155FC9DA2A0ED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451934Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:13.578{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703657CCC900BC79BB0DADAAB8F20511,SHA256=4DBA126F83E1F0E63445C9DE3AD26D8C61636966351EB253343CB3E8AD590EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:13.150{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6949491BFB4F0EE0519FA20C3192C4,SHA256=31667D6BDCA52E023FD4B69D567489C476C6C7613414BD6C68703846044BF1BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451936Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:14.592{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16992ECC2DFD9F4ADA67992775666ED,SHA256=EBFE5506A75D1727D0339D38106079F88713435B456BE823C47F2B0D4ED6507D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:14.150{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A69EF643530E1EE5F23AD238D35460,SHA256=02D9EC6304C53919A543ED37B1BBC0CF1849169C6EAB7C7A32C10BCFADD7294D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451935Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:14.577{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=31864A7DE97D387A93661BD4339AFC6A,SHA256=D5AEB30095791EE20CFA698A06BF29B9C3ED77680B07B2FA29C75F98B715AAC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451937Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:15.607{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1CE6EF40CF6EBF166F65A047BBE7E0,SHA256=36E4418FA3C8A73AC02E5C5A7E7BC89E318549C11F7C27056476A1C99270850E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:14.362{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53842-false10.0.1.12-8000- 23542300x8000000000000000397076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:15.150{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759229B7EF4BB1F1AC7A04A101810AD3,SHA256=88C09A908939034D45EAA397B43F23DDF0F4FB4A9AA69AF698F39EE322AE1A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451938Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:16.640{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC387B028BCA136969A5FA05F0921A31,SHA256=07EB1289F0AD7D23A8C02C63DB407263AE3B3EAE5A9D0B23D24D2C218FD4EC60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:16.150{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9B8D7A53372CB436301C8AC119C4AE,SHA256=B0D976A0ACEBC4F9AD5791CE62E158822742D9EE95EAB357AF022CD538E07675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451939Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:17.674{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBB6B089273C59E3D19B79899E848EA,SHA256=C9494A17C8BCBE4FEAEA689C318F544463121B5B647109285DD2BDEA0D7C2F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:17.166{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57C3678393581981793C99BF98AE1A2,SHA256=A50A6027722E68835740A3C7D90185F396CF39418FBB4394F7270356B05C19B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451940Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:18.704{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9568A1C7DF1BE608D5F9B9FBD58FDE7,SHA256=3ACDD263B8F52416ECC5AFEA15B4D68B1C18F9E1C6BBB86F40DC56B169EF6B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:18.181{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE78CD629AC0666049E5D3EAF70BE5A,SHA256=95AB2F0BD866D61530F64510C8AB42FA75C484241928F9DB702EAF5744FC2EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451942Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:19.738{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD9169CF5C7078A6909776EF264FCF4,SHA256=98C995D07976D3676B98903E252A21B773FD1BB0CBC202ED74F603391AA2DFCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:19.197{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311D891A22D153D29701A3749C902E86,SHA256=AABD785AB72BBC85E450B4D2E22F4E855A9100864F44A0763CEFB72B65331812,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451941Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:16.690{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54481-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451943Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:20.756{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22E8B15FC44C52925F391EFB8092DCC,SHA256=4EC936E4629B5DB16BE7E9CBB93F362BFB7803FD4B29B161E53174BFA23FA777,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:19.393{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53843-false10.0.1.12-8000- 23542300x8000000000000000397082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:20.197{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08862D56B4B00E2B0ADE08D200660E81,SHA256=ED3ABD92101026D2866C73F1ED35B84FD09389EE3F56BAB7321E92D85BBC3B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451944Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:21.771{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F741E6588A7245A7CA26A151F8F98AB8,SHA256=3D7C58B1C1160DD30B1CE86589CD429212954767F000D6B0280449A6B8B152E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:21.197{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5762C5F9B77A1864A792825A19F5E57,SHA256=C1CD3B8B872B70B6AC2EF9180B6DFF33FC5722F1A8F20139AF6EBD8BFA5126BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451945Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:22.801{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A258E1D0EB600DEB1FC3141BC8D0FCF3,SHA256=3D8CFFDF567C37B7AB0A9E85D2E40D1175E4334D624A7E64562A8A2A830C789C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:22.198{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E87B0B09F62C720DA3E599D5E167228,SHA256=E02604E0E21E223657501EC7EE732584FC95BB1886C15975AADAC9F0072E0C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451946Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:23.833{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2D9BD7342FF386A82E3F8AD138E28B,SHA256=9CB5885BA760C24BB5A58492E96A687A905E9E7464B36AC21AB1D22B669590D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:23.210{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF48D5B7889C2F89D92E244FA015E26B,SHA256=79B8620175C08EB74A12E1B1538DFD986ED537C8E0E2CED4F9CDA4921507F133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451947Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:24.852{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2812A98A61DD030A0E345A97179A85FF,SHA256=28849EEB6348E30602FD52D7236F544EB72ADCBAE060815B580A8EDA077C2E3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:24.212{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BDF26152B722494DB8E9449ACCF50E,SHA256=9300EC35940E5E0D35E7BE9357EF2B0BB592747392EF6FA9217A92F57AEEAB96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451949Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:25.866{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE675A300C20009AF2F59AAE713FFF48,SHA256=5FEB713D9FAAD7A948612F47AE91841F5344619C661F1AA45F3825CD6BCDB918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:25.212{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0913012E9E94F64D01A64D23C0D652D1,SHA256=5CF3E1B461CC3C3614846209B8A0941E04CA7ABDEB42CE4B09655FEA467D83E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451948Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:22.469{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54482-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451950Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:26.880{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B80560B68C5B8F4E162FDA055374B56,SHA256=82D06E37E1D5CDC86D6FCA9B20CD8EF06081EC8FDBF37FB349F060A5AFBA4993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:26.305{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=019BFB2F2611B4844FFD94D5D34F6C9E,SHA256=323B3052456EC539EAAEDBA3FA9AC046F2DA3247B28FB8F0D3A9AE23F1B9D5C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:26.212{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB9709E43DAB4E39794F18D2CDA832D,SHA256=82F91C97F505E3755AD4F303698FA1953B8EFD9E9DD19A01EFA67B5D0E817F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451951Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:27.881{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C29AF5F4773D749BBADA32B65D7B0C,SHA256=BC5CFD32F29F49564A44E1FA79D174AF3EAF217515C5F1FCA2BF6CB039756EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:27.258{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BBA93E81593DFF9A38F436769F2357,SHA256=EB3090D092EE87B23B8F53F45A34458CC6A4F71398B6DDD833DA573D77D75BC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:25.393{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53844-false10.0.1.12-8000- 23542300x80000000000000001451952Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:28.895{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EC6994EFEFA1C4DFF5D0F25C2C8970,SHA256=DFA25FC01C3F2F41DF975B72D5C0D13E81866168984D3306A3A822DBA55BB7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:28.399{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6297677A2E85EE86B8F06013C3077894,SHA256=F852281A9FA55A32A613D1DFE251E04A78F85ACEBFE9964259FAA3D1479D657F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:28.243{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:28.243{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:28.243{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451954Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:29.928{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02AA5BDF414B06495AD5C001EF5890F,SHA256=EA073BCE4B150B9F00A46F7F087B199A0FBD056E0697FCE0860425384BA3227D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:29.430{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12102E88BFE708BC3893022831E5489,SHA256=02DA9CB603AC11839B837DEBE7D5533EE542D5C286A28DFE4C381F76628CAD91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451953Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:27.480{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54483-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451956Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:30.946{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA938207A33F0B6159B66FFFD948300A,SHA256=63F384B64205FE1193448158498E93C0BC1A438FC2C4694F517D1283AFFD8305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:30.493{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A047057E1E6610142D3625702A749533,SHA256=EDC365EA56CD1B0F2B3BB46B0DDC017FEB1655C50FC981A2DFEE0A69DC52BDEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451955Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:30.347{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451957Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:31.961{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4B2569CB7AC95333674E07F56B9255,SHA256=1BA4C53005F9B869C97D8E2D5D22B4776339A02E3C609CB38B195FAB50B7DF26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:30.408{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53845-false10.0.1.12-8000- 23542300x8000000000000000397100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:31.540{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD38ED02C5C0CE9F1BF3AFF2245C1995,SHA256=0A07C04C992BDB68F1E839FD370AE6CB21913C39779436146A20487F51C62959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:31.055{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451959Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:32.991{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8628F8A80B1E82EBD5C981977127FB48,SHA256=3DC48B1B45A9A9DDD7EB10E2FC84919660C9A6BA972D475A8C7F730CE951FC47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:31.237{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53846-false10.0.1.12-8089- 23542300x8000000000000000397102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:32.712{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98AE805E2C41F2D6D3084A1A86F31BAB,SHA256=C3024D13A54FA46C5851D2E5C4ED940AD1ED08E3D3BCA935D45F319DA07EB537,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451958Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:29.778{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54484-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000397104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:33.712{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED6939EEB5DA01CC1DB5334D7C04A93,SHA256=6FADECB469D98A500F4A6071055F76CF834211B71099E444DA1AAAC6C37EEF5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451960Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:33.907{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=77B53C30783436821AA6B2CCE7C6AC84,SHA256=611887369482692A2F3A808DDB0AB8B447D08C06B7E39A4C12F9AA04EC965183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.930{7F1C7D0B-079A-60E3-5A0A-00000000D401}30562556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.727{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DFA829DC14324A9379C57A01ED780B,SHA256=A64F7FACE7DC0413D56FD11C1A2E076BDA043534D168DF9ACEA58AEC4409C555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.634{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-079A-60E3-5A0A-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397114Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397113Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397112Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397111Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397110Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397109Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397108Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397107Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.634{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-079A-60E3-5A0A-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397106Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.634{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-079A-60E3-5A0A-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397105Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:34.634{7F1C7D0B-079A-60E3-5A0A-00000000D401}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451961Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:34.006{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D585E6D7D956F94332D7F628745910D9,SHA256=0ED5F1F1257661C884E1494F2C28003BBFE05A4C40E63CBCED8AAEBB41B40E33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.758{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1000809D02E9F07268A0DA3C202B54D1,SHA256=B1DCF19AF35F62325B06430CE47207FB2C47B6304E00D05FED887FBFB62B8096,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451963Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:32.696{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54485-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451962Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:35.024{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAD71D6594537E46A3DC86F45F4FC89,SHA256=2E1F9BE196CDB99BBA6460FDD09323BC22852CB001DEA85EF76DAAC8DB00E657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1408BD31D9EB4754459AA1FCA7CD69B5,SHA256=FDAD3DABEDCEBD246D2F861C32A8A9510DA5B4660DDCB1B3F35F642989733C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66EE4ADA09EF2EF3652D4AD53C2570FC,SHA256=824A5905B918AE9E6316CA38C2CECC75438703CB3FD4204642921361554E1D63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-079B-60E3-5C0A-00000000D401}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-079B-60E3-5C0A-00000000D401}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.634{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-079B-60E3-5C0A-00000000D401}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.635{7F1C7D0B-079B-60E3-5C0A-00000000D401}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000397132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.134{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-079B-60E3-5B0A-00000000D401}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.134{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.134{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.134{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.134{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.134{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.134{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.134{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.134{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.134{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.134{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-079B-60E3-5B0A-00000000D401}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.134{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-079B-60E3-5B0A-00000000D401}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:35.135{7F1C7D0B-079B-60E3-5B0A-00000000D401}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:36.930{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0244A0FBE84160443F9BD2E1DCC96AA,SHA256=9F0C1ABEEA106F2BB0DEFC9A99F799AC3EEEB2A3D99C8D8B41A40DAAF13C1BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451964Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:36.027{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28ECA0E2C2E355A8D0BB2BC5D16364BE,SHA256=2642BBD1A59FFFF045EEFE6128E52AB5926FDB29F267B3A833C47F2E6479732F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:36.634{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1408BD31D9EB4754459AA1FCA7CD69B5,SHA256=FDAD3DABEDCEBD246D2F861C32A8A9510DA5B4660DDCB1B3F35F642989733C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:37.930{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85116E25AD7F5830689274055B7075F,SHA256=519C4481BEB2D01356F13D73AA47F34E5A1F873AA7025344E76205471B811627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451965Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:37.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D363DE2B149645DEF32FA7B5B5AB45,SHA256=3957EBCDE6E45B902876D4979342A663E8020ED5808DFF505BEACB864C4633E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:36.377{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53847-false10.0.1.12-8000- 23542300x8000000000000000397153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:38.930{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61E90952EEA3718FC6F2381F89A9597,SHA256=20E4771B73592DE16113D88F19BB3DE8D7EC5D29E014B7095BFD6FC5C708EF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451966Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:38.087{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D8D895779076042E29823C0874D263,SHA256=B8BAB90F5850A38B1425F0126B1D8ED716BAB0D43A1C281135984B15010EF52F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397181Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.758{7F1C7D0B-079F-60E3-5E0A-00000000D401}26002432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397180Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.602{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-079F-60E3-5E0A-00000000D401}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397179Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.602{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397178Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.602{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.602{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.602{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.602{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.602{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.602{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.602{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.602{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.602{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-079F-60E3-5E0A-00000000D401}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.602{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-079F-60E3-5E0A-00000000D401}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.603{7F1C7D0B-079F-60E3-5E0A-00000000D401}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000397167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.321{7F1C7D0B-079F-60E3-5D0A-00000000D401}34801556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.102{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-079F-60E3-5D0A-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.102{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.102{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.102{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.102{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.102{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.102{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.102{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.102{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.102{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.102{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-079F-60E3-5D0A-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.102{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-079F-60E3-5D0A-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:39.103{7F1C7D0B-079F-60E3-5D0A-00000000D401}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451967Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:39.101{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B5A1ED2F0D31B8920115DF76604EB8,SHA256=69B39A7AE18410436BFF74461CE5C8B7B7DE0168DF47529F8A7D4386519C6DAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.946{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-07A0-60E3-600A-00000000D401}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.946{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.946{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.946{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.946{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.946{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.946{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.946{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.946{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.946{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.946{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-07A0-60E3-600A-00000000D401}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.946{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-07A0-60E3-600A-00000000D401}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.947{7F1C7D0B-07A0-60E3-600A-00000000D401}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000397197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.462{7F1C7D0B-07A0-60E3-5F0A-00000000D401}3976504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.352{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53A076D4453C5029AB8DBE8CC4585E9,SHA256=D8D4106FB97F8ADF6A95D35184B1E7534A2FC7E65D7113A349357EF8188A2BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.352{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F29BDACF0BA256ACDFB6EDC0AFC28A4,SHA256=A3AD85BFBABFF464C4FC09A6019D97ED658892DDDC37D80790D792302231B22F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.274{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-07A0-60E3-5F0A-00000000D401}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.274{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.274{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.274{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.274{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.274{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.274{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397187Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.274{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397186Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.274{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397185Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.274{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397184Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.274{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-07A0-60E3-5F0A-00000000D401}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397183Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.274{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-07A0-60E3-5F0A-00000000D401}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397182Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:40.275{7F1C7D0B-07A0-60E3-5F0A-00000000D401}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001451968Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:40.118{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCF38880D13F9468FD37D26D4AC39E9,SHA256=E6A6F2F7FD700C062018595656121DA9D6FA1AF7CB3EE5D2236A2F67ECEAA8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:41.493{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB5AD8982BF886A092CB77B707467DE,SHA256=D4893B115F06F494F1804E38E2D86214D36F8E159FEFDBEE932F5F4ABC15BAE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:41.274{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CBBB2F60A8595BCBE518EE416DD58D0,SHA256=3453795836F397CC6D54C610FDCCF17EA8CECDEDDB26B43B57CB9ECE456A1C2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451970Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:38.469{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54486-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451969Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:41.137{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57DC7EBEA6086C4AF8AD27C40862EE0C,SHA256=271E4C5A083AF903D97E0EAEDB5FF81A3F79B6B1051F937958DABAA006673BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:42.274{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54ACDD13D8E5AFF57DB9F2066E35974B,SHA256=31262AAB2C2191B50E343334438F72AFB6C86F38EC73FB6379A851D5D0A78B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451971Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:42.152{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8703700582B38E9D60B97FE31215F6E4,SHA256=E1C75F8A4281F2A43838E03441D481A92065885672779520A8376F0CFC89D4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451972Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:43.183{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F47AD0DDCF0C62C01F1EB88829C986B,SHA256=F09EFFFC390BB3A3613B84A297C8022EB1AD97A5C2A9946F78F875DBB79BB49F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397215Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:42.362{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53848-false10.0.1.12-8000- 23542300x8000000000000000397214Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:43.274{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA61F42FFE95FC0CCBCE7EB590F1DFB,SHA256=99EE4622079B3406CFC36D99EE8B4EF01F832CDBB7C64B0DE05369BA5E9D18F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397217Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:44.274{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0364CA1EACCAABFC8EAB522456ADA6A9,SHA256=E5B5CD1319F8FA0DC1682A652C914EBF9B500C03D8B4549AF0A5412AB08CBCB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451973Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:44.183{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8665B5FEEED421F598E2F7A7C66FB710,SHA256=A5A000516C7FD8A444E0AB29E3336D48226B9744459FFEB3E828B44644FEFADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397216Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:44.087{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E530D8F42D3F86543DE8BADC8BE890A,SHA256=2B5434673A02B306F726E89648ADBB780A645B2012DC1674457B31AF120FC2BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397219Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:43.051{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-8727-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000397218Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:45.274{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB971A78395DE4C8434CEC544774AC9,SHA256=8AF50B5A0C5CCF80EEFBC7B104D2EF671216A35CDEFE7B1F6B5E85FF8400A839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451974Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:45.198{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45F6EF06E0327FDC800B8134C832AB39,SHA256=A9639205BBA733B22A1E44122FD8C5D785B5B71593B1B3B759F1D7341EBB47CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397220Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:46.274{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA703BF816A4E7291E171C66B183F819,SHA256=E6000A66E666C150AF19EEAAD61BD1DAB914F23F43ADF6A012B2E1D21962625D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451976Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:43.504{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54487-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451975Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:46.219{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4467F6DA28494EE03B09C39D934A1EE1,SHA256=561F0F7A544FEFADB55FD5A0DD64377CE14D865ED651B5D8C97C0DF051210FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451977Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:47.233{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8740373D9CCC6864C72EE77CFD3ACD4C,SHA256=7ECE345A9F13BC96D2ADA48AB8F89F4582900904CD999AC022053A61C3B4A844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397221Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:47.290{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E38E4B4DEAB325F4B1FDF081B0AEDB1,SHA256=1864655552C0134B9CED8A9A69F707576A8FC9522D51DFEAD6C09AA77EF34E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451978Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:48.263{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBFB1D3400569FF1E190C90812DD448,SHA256=5BB14F01BD4745E543A2711C9652CB27B30EC67FD2640A7EC2A3D4E08C054525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397222Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:48.337{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A07F92FA0D7F11BE04D4619025B9A72,SHA256=4F70A7A58A29415CC8F5A48433BFB7E14B5570F770A47D5A0178E53C6301FF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397223Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:49.337{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5740DD6ED104665A4274155E74C1EB,SHA256=46308180CF4FE73103FB17A49741C71A1A9F261A586EE1645628C27C800FD0B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451979Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:49.294{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572C91E0F77CF2615EA5CF182F60B022,SHA256=04687600D5617407088E9349BA830489C327EE06F614DFE8309C719A388452B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:50.352{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48DCBFDF783782AF8995AC15376DEA2,SHA256=7C014438E823774C4DAFFDA2F86066013A67BAEB2C7D8C4761A17540AEF4C1E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001451983Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:50.410{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451982Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:50.410{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451981Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:50.409{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001451980Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:50.311{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5066653F857AEE082CDC800F9730F262,SHA256=DE07F522B9EC3771B58502B2B46900233AB409BDE3485CC7BB72ADDFC1C3A0AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:48.472{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:884:baa:f5ff:fef0win-host-884546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000397224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:48.409{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53849-false10.0.1.12-8000- 354300x80000000000000001451985Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:49.529{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54488-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001451984Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:51.329{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DD410EDC2807C752C7A528BE1928B9,SHA256=C82B46B95CF331D0F9B5B5DEC540E7C43B8CB62D02E914815C78718100B7EB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:51.352{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=906B1B4793093951D10255F5498E22A1,SHA256=D6E245A473F5F878758B2FB42FC9492B665461EAE26CA32D870B8BE7F556A2E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451986Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:52.359{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3F9BE3715E8CA0F89116FBB34AAE9C,SHA256=72B341F89BDCA366210ED117448E340C79EFE680477665ED26CB2B17BAE62404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:52.368{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BC73DDEA1418AF0F2915C49853C137,SHA256=D240AAF5A2F9EA7AFE5EE51B11FE831367D36F4E8278ACB8988E7172D54869AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451987Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:53.373{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE77BC4EC8BDFEBC8AB184E46D8FAAD,SHA256=BA342EE02528AB0219B09320ED61EF75592D47D1AA49DE23C98E1093764C01C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:53.384{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64626D40366522D1888CDA974BFE72FD,SHA256=5D2CDF8EA4D1B9F525DBB77635A8D0D797F5E93AB20917C5102C7E21FAC5A29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:54.384{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBA476B5BC1A58DFDBE92DBDBA25A83,SHA256=37F3C420C3087F3C8C900B4081E8A6236D1C939C17A3A68105066448FDA508DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451988Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:54.406{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA52147AEB27513FD411523F3703C0B9,SHA256=88C5A6FB8F809AEC26174317EA1DCCDC915568BF83107B7FE066B00B0289D2FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451989Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:55.424{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D905C3B0A3CCEC380F2C066A096F53,SHA256=50BF5D8418B6EDCA152F70F053684F7AFE989E8EB0A4F67763920EAB67624008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:55.399{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E26954C8A1BDCD6D3A6744A8AEB79D7,SHA256=9B7BDBCDD6CE1CD777724CBE40943D5BF554EEC2290BFA155C44A7E247825F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451990Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:56.455{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B3BDADDF978A16E0EEE84ACB1D2BE1,SHA256=189D56954A5F393B47C59011706310BE0D8A4302349C22105A69FC467E472F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:56.399{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E44F3FF7B06B73F1084EC0CC7261C8,SHA256=C1C59ED6C643391B649DDCFA92108C4B36EEBDD1109C2FE349D4B0409208A5E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:54.393{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53850-false10.0.1.12-8000- 23542300x80000000000000001451991Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:57.485{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B09CDB97839D5C32BFC7B76E629F19,SHA256=B5CAA68758159E2B316F3873EE1E4B98B4EEC4748A25AC519A0F6088BE27DB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:57.399{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28656A2577349C4FA2B18AAE0D9B5E9,SHA256=CB8B315938DF62326B8B513C9D5A41727E1EF5DA16338BD08B3856E046FF605B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:57.087{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7811A3D7A26149788410EE8D24FCADA6,SHA256=CDB550E8C9D1693FC8FE530840579468AF87A506B73678E7E166462750823DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:57.087{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53A130723379BBB0C68239F3EE511A82,SHA256=9A8BDE5802BD3A7D73BC7B7B6CB7EB59A21B4E2F7B0326795C66C3B43D014001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001451993Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:58.503{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246839883E3482C28261990861A0B319,SHA256=B7508B506E714F2AD5B46480735E01A8B35A7D6B97C17F0A5B7B53069AD54D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:58.399{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DB3A6590274FCA85A928B0EE4C6545,SHA256=A83F9E9336C0713690DF3CA0DCC9217CF0651D49252E422D939A8880B0A13FD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001451992Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:55.539{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54489-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000397237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:56.044{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-57740-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000397239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:22:59.399{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737F3E88A93DA3E6FB1C9794AAE3B193,SHA256=6A998BCA4ED59E549EF767E87889352C5A777847DCDEA226E81734D70163DDA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452011Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.904{D694AEB8-07B3-60E3-EC0A-00000000D301}53323336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452010Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.720{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07B3-60E3-EC0A-00000000D301}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452009Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.720{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452008Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.720{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452007Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.720{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452006Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.720{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452005Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.720{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-07B3-60E3-EC0A-00000000D301}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452004Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.720{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07B3-60E3-EC0A-00000000D301}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452003Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.721{D694AEB8-07B3-60E3-EC0A-00000000D301}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452002Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.521{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0564020A20CE98D260C033EF959E59,SHA256=AE0763B3C43B167FD8BA1522F8636CE0CFC7325D99C2034E5C04194935CAFFCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452001Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.052{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07B3-60E3-EB0A-00000000D301}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452000Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.052{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451999Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.052{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451998Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.052{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451997Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.052{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451996Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.052{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-07B3-60E3-EB0A-00000000D301}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001451995Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.052{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07B3-60E3-EB0A-00000000D301}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001451994Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:22:59.053{D694AEB8-07B3-60E3-EB0A-00000000D301}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452022Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:00.535{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87231831E94444D95EECA69C1DE24C88,SHA256=F3C605D99C718B7BC3193CF26CEC3E6BE7ABA10E64C2CA2527B9B75044C4E3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:00.399{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9C2366A2B071DD200D372409348DA1,SHA256=9A8AA40112AF66AB54FD7D0FFAC01A7B07E1A33CFD0D758C8D9FE0916B7FDEF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452021Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:00.402{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07B4-60E3-ED0A-00000000D301}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452020Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:00.401{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452019Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:00.401{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452018Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:00.401{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452017Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:00.400{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452016Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:00.400{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-07B4-60E3-ED0A-00000000D301}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452015Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:00.400{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07B4-60E3-ED0A-00000000D301}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452014Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:00.399{D694AEB8-07B4-60E3-ED0A-00000000D301}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452013Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:00.082{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=939B43E30ED908B2ACFE0303AE7672E3,SHA256=E1323D9C3C97ADBA1513DC08EDA01633BE60C7AEFB8E2B1361CB4574D687E8B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452012Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:00.082{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96F1ADE38A972BE34FF391E58EDE4E76,SHA256=055E1F106138E6F3DE1253060C099161F3AC0EE751170425F15C7528940D2350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452025Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:01.935{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\aborted-session-pingMD5=B77F52F8871C3DF9D61F95AFA697BEE5,SHA256=740E254BD03CE828A07CDEF3C85A74E2932778C431B59406B1A5E0472579CCF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452024Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:01.535{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3F17A9FB3A4BAF5FFA3D7CE86A7B4F,SHA256=E8A4978A166AF94880B72CD1A429A723F59DDF8ABF3DBA6B89B53BDB49C39DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:01.493{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4F72682A963A9B5A7952F380B0AE45,SHA256=07EEB21D0EB580D2E39DE3EC53CB9482E3D8686413F1F8277AC6241254694B52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:00.393{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53851-false10.0.1.12-8000- 23542300x80000000000000001452023Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:01.436{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=939B43E30ED908B2ACFE0303AE7672E3,SHA256=E1323D9C3C97ADBA1513DC08EDA01633BE60C7AEFB8E2B1361CB4574D687E8B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:02.540{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4CFC4EB5875857D1AE51E08D099D01,SHA256=3C98E2D64F6C784AC83570225FF3258C917A39403468F8B8744D1EC6E36D41E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452034Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:02.919{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07B6-60E3-EE0A-00000000D301}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452033Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:02.919{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452032Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:02.919{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452031Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:02.919{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452030Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:02.919{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452029Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:02.919{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-07B6-60E3-EE0A-00000000D301}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452028Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:02.919{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07B6-60E3-EE0A-00000000D301}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452027Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:02.919{D694AEB8-07B6-60E3-EE0A-00000000D301}5956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452026Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:02.565{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3875AB97E7A472E68C70D7816B994D74,SHA256=51C0F3E14B18F1DD04956D15F43B3FFE62100CC3E6B8E74EE4AA4C1EAF91A541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452047Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.934{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6CFB580648C923E2616E6EFCF0DEB2D,SHA256=A237BE46C5DC2B53964C2F045F91FA954A63AA87A1FAFCE28AB732FD53B943FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452046Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.750{D694AEB8-07B7-60E3-EF0A-00000000D301}49805424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452045Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.582{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07B7-60E3-EF0A-00000000D301}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452044Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.582{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452043Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.582{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452042Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.582{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452041Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.582{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452040Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.582{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-07B7-60E3-EF0A-00000000D301}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452039Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.582{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07B7-60E3-EF0A-00000000D301}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452038Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.583{D694AEB8-07B7-60E3-EF0A-00000000D301}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452037Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.566{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD35CCC46DE69310DD0D1F1DD11F64D,SHA256=79B230F9790AE10C0724EEBC5D841C05793D5F5DBB73F1D0C71CAEB15A5D6124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:03.759{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8A0C742CFF677470A929B2C398C970,SHA256=5B134E9381EC04AF5F9C4D32AD0EC16A1CE718D666AFC5C66B6B5989EE795245,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452036Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:00.572{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54490-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001452035Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.082{D694AEB8-07B6-60E3-EE0A-00000000D301}59564388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:04.790{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A299FF7636102FDFE46C8323568A61,SHA256=77E682CA0567EF8F96A81BFC00E5F2EB481592338EB7228AD631C4EEDC8C4371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452064Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.918{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07B8-60E3-F10A-00000000D301}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452063Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.918{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452062Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.918{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452061Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.918{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452060Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.918{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452059Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.918{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-07B8-60E3-F10A-00000000D301}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452058Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.918{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07B8-60E3-F10A-00000000D301}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452057Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.919{D694AEB8-07B8-60E3-F10A-00000000D301}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452056Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.602{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0481671FD62162C583A78DEBDB17CFE,SHA256=BC6007DE8F49372277AB06B913DA3A045E639691A7543FD952542DE687325869,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452055Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.250{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07B8-60E3-F00A-00000000D301}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452054Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.250{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452053Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.250{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452052Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.250{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452051Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.250{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452050Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.250{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-07B8-60E3-F00A-00000000D301}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452049Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.250{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07B8-60E3-F00A-00000000D301}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452048Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:04.251{D694AEB8-07B8-60E3-F00A-00000000D301}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:05.852{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C11788517CFED4325223A6AB1E903D9,SHA256=38E266ED736A1E6DB89F9324A5F3822C8D6057032AB2EECFCB7D50990937F9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452069Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:05.618{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1AB974F2FCF6D82577357829D9BFCB,SHA256=7E1906BE7D575BB7F5DEAF3F3203531AD82A7FB3D28FD16C3DC542CF76315C90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452068Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:05.299{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23178FDAF525434FADE87BFEDF108B34,SHA256=DBA2293F9077C0DA570558BF98766A64C581D26C2284ED76E8F161D357EA0092,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452067Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.271{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54491-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001452066Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:03.271{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54491-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 10341000x80000000000000001452065Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:05.098{D694AEB8-07B8-60E3-F10A-00000000D301}53086852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:06.852{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C8AA6AB84C786C81D2204932658DFE,SHA256=285F5987AF7056128C9A7B5465B5C422234CC29ED1EC93EB060A664EB91E0D77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452070Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:06.632{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71EF773CA781AD4540E0D0113D86C2E5,SHA256=106B933A695F25BBF657CADCABBB9507DE30F51391019DDA75FCF80B9A6D3BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452071Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:07.662{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0649AC83DA528F0390FD105527B8762,SHA256=14421211EB833C32FF4439FA8A63189D7D111A05A6B5B586619F6D8768E3376A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:07.852{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B815D3294B3AD9E25021693D43593E7D,SHA256=9C53D9E610C3FCE98528BB222D3C29A069A4EC090E3B5461EE0D7CE98B88CCA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452072Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:08.695{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50DF168B945A1341255DD3F816929B0D,SHA256=A5442447B393C8879929DF1C87315C492D35DE56907558A3605E896969DD1E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:08.915{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB629C84216F420ECCCB564ECB19AB02,SHA256=F273F0375B1B77B0E3460B7C9A0F5C4CFFF4476F4FEA10CD17E9F63C199EF6C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:05.393{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53852-false10.0.1.12-8000- 23542300x8000000000000000397251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:09.962{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4501E60141918DA79F4BC8F560923BF3,SHA256=6130EE94628EE84A4FA194D05D4E5C97D5C20BF88E315CD7469F0EAAB588F5B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452074Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:09.729{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE66C2098B8362DE1834CD1B549A4E3F,SHA256=411ACB8F246DC23A402B65DB1DCFD3CA952BC39AFFC063797A8AD64BF6AA4F7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452073Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:06.584{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54492-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000397252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:10.962{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992BCDF1791D146728BE685F1607FD57,SHA256=BAEE372305DEEA94D5D49124508A798671D29A3290B2D3B695367388B38547F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452075Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:10.744{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6291EA156378AA4DF01D9844CEF0C1,SHA256=32D0BAA84A1C2BE355B12C5356085AA685DC944ABDC62989FDE098A6FE48520C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:11.962{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F176B8976F1818B16376C1B10FA9873F,SHA256=49A821AAE017889E005715AA95C074EC12AD8B73ED07D2889CFB8B03992A23ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452076Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:11.759{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1365185EB845383743564CC81466B8DF,SHA256=E63B0F7326843E7AAC1AB0C6DF6A5CF872B0CBE82C35BF440D23D69726E61F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:12.962{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83ED615DF26875CE41F820B05EBCDC5E,SHA256=7C0914000E2BCB516B58230D3FB234CEB81726C3CFAE213B049A4DAA25B7666C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452077Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:12.759{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFD2D37FE55944B33A8BDA5B3F8243B,SHA256=28A90737EAF7EEE912E81A8AAA51B051B98B55F9D7A87128B98438275424C70D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:13.962{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32DDB9235182CB1E15598CDFE6C6124A,SHA256=34C1C5A1141EAFCEF5662D0E0371B53352ACF330AB2560C5095328B9D5D569B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452078Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:13.759{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E439295F1807A09075078FBDD5CBCD2B,SHA256=8CCE194A68D065054D00639E012E18C094F3B4989D123F6EA01F7BF2A341EE1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:11.346{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53853-false10.0.1.12-8000- 23542300x8000000000000000397257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:14.977{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAED9D9E13FC9C03AA108F3C97908EC1,SHA256=9F56976C3ADE12800CBF4791456BD84D3E58FA830432D788120E73E38F002C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452080Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:14.792{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCB70B91AE8B5F461C80C838E663B90,SHA256=2FA5F0BD5C7FCCCF53A22D32173D8AD1320BDB1834BF14EBD9BD0B2892C46CDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452079Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:11.627{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54493-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000397258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:15.993{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934E21EAFF5A1A22ABE5063BCCC4D6A3,SHA256=81B063CA56C6AD12AABD125C47738978579DFC7E95D56BD3C88AB5B1FADAA9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452081Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:15.826{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F26FD81C35024D68C0ED76C79CC15E,SHA256=11B4427C945BA74DA7919D2618AD9B56252EFBCEDB4C888772DBC61DD181B5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:16.993{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F7AE22589D9C8531FB113A815BBA67,SHA256=38E0B839A5BD522791C34D4C8855A65990868B2AB849BAB7E9C0B0C93D563268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452082Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:16.840{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4082D5AA708625CC2632660309AE7A51,SHA256=B0A2E1789EAA90AB18F667E1CF306FD0623611AFEAC0460A80AFE8652FC639CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:17.993{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C98D5D9B57E87614A8A9015D33ABC8,SHA256=6101663B1E739D1FB23E7215DE8F392BAC36D3AF94E7920412ACD9E1D17E8FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452083Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:17.855{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF049E2C38A0ACE6FE043D68238E0EB,SHA256=EF05AAE9C22796DA9F8BAE6C00E196559168BB3D5879F27F0359F7AE6C99B5D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:16.456{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53854-false10.0.1.12-8000- 23542300x8000000000000000397262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:18.993{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0987AC3E66F14A7E8C42F2CE915E90F,SHA256=3FEF99D2CEEF2AD29B6549A4D1908797D93E055EEF111C93BCD0B8B3865C08D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452084Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:18.870{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8267C81A7B862EBCC90617FCA5495874,SHA256=69835531C77BE35D24DDE622F4116F2B6112718E678FC21500FFDEFA4BB1517E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:19.993{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB62E2579BE6BED38BC8ABBBEE1A625,SHA256=F77B948F845840664930BBD09CC1DDF09B3A96C86D8C142030E5B8DA3B0FA3A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452086Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:19.887{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586E01228F2D958194BBB8BCC15EF5A9,SHA256=97CC669F61D342F90B0A2F6A29C8FB894F8A47E5B3F1ABA555F9A3137743D203,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452085Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:17.638{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54494-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452087Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:20.921{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825A81511AC95D8F6BAC07A353A3B4F9,SHA256=86615F054BE6B7CAE56E53776F41E8168FDC4A3906CEB844326BA87A67F7F072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452088Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:21.937{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E6000C8DC1B88CD97376F58740CFB1,SHA256=1D43A8D400A18CFA69C77BA533DF61B8B141511B1C941CA9AE2B3132DA643246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:21.009{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB220DDB13017B469A62326652D03F24,SHA256=40560E2A473A33D04E7220112375397DF42C1F8F2845C8C1A06B8E22BA855692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452089Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:22.951{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674717AC62629BEAC96696EF760EB0F1,SHA256=E435BD37B3A8C7A15F19AE1F813C1C72143E3D04788B774B40D9CC3D1C8BE588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:22.009{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3850F9A899A9DE875D822F90C26CE4,SHA256=7F8EA0A4841597004F1AA8CA28EAA35938C83B2E8463931CE5EE3C50975ADD57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452090Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:23.965{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B04F7279CC7779D92F24D6C6BEBD8C,SHA256=1D153FCC7ADE92E60EE0A51C38019872E7B453BBA34C3C79A32DA9F5CCAA8956,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:22.363{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53855-false10.0.1.12-8000- 23542300x8000000000000000397266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:23.010{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92CD71E72B811C9578487F8C91DBBA6D,SHA256=91CF29206B78BA1F6CA51EFA1DF98465B090FF373124700BD05DB26EEE2B4000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452092Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:24.982{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D839710914BF654178DEA0DBCE105ADA,SHA256=616B7003E0331F42196CC84C8841927DB3D4A32834F5EB6B1187CD547248DF9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452091Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:22.671{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54495-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000397268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:24.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F548CD1663DDFC2A4383EB6343913292,SHA256=A9B4C52217CAEFBE762BD836C5E773814213C8E8F081F923D09C4EE6A4B54AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:25.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0BE628B6748B2AC364D4D08A2F49BE1,SHA256=36A356E78DCA24AA924E59F21FDCBE30A3B9A6D7FD42607113EFDEB7EFEB80F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:26.312{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=98619EB9B7E242175BC45236A4C92F66,SHA256=3B1EEEE105C712CFF187DEA9D446D4FCE611560BCA35A9F70597EE43C0BA9D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:26.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25EA9D7ABF789FD42019074925C4B83E,SHA256=27255671D28327883723BF259F70C9875551F253FADCB58AA327A0FB942AD92D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452093Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:26.001{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0558948AE4F179F81DFA2B821CFA7E5,SHA256=FC788993AC57441FEBE1F01529C915DD6DD1F4B4395E7BBA6A056E6829F270C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452094Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:27.015{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D697DAF11051B0205FCA3153357630AC,SHA256=9B498003E8FD10CF3CE07EB2213E5F5730F962BF14BDC5B0FE4968325287A395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:27.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB928A9188EA15CA6B3DBA1356C69614,SHA256=CBC01095E9B588AEA773E2153604E1C4E4315D43585EBDAEADDD13862D345E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452095Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:28.030{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E77A661F9A5F15B0B14E7701D87DF7B,SHA256=FD37E0C05F33019BE92AB2796B8F347D82DD31DF0C48CDAFFF92180290817CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:28.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02825B9C9312D62B25D02427B18A968,SHA256=F9E07E4B9B34310B6E4C3D5FE6B6F3A6B0A15BB81390D6FBCE6D6B7D01AE14CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452096Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:29.078{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671BB0D6E84B708836CF6C38D1017E91,SHA256=AB46C155DF7F5E639A11BCB8638796F7E30E0836DAE923CA00D199F96F062411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:29.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2D216D8D5394E34166BB85F131A9E2,SHA256=A83315A9E9F9C8C03C51394C153F33A78296D6EA6BDF4B23AA8FEFA860BE9926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:30.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6462DECFA30B5A5B217F1F671E7869A6,SHA256=9585ADB7492DE44620F25EE095308E0E2A7740D2105FC2DD8FC72BF90C1283E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452104Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:30.979{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=55FD5E53FCA3D24BCC34D11E4BC9BE8A,SHA256=2DB8DF5289B71429788CC4E088B865BC8ECB8362C5F385503C024A2F8CCD5B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452103Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:30.978{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=D3B36DE06AB43746BC64E185DC06393B,SHA256=7E2B9DCBBE31FC84FFD13D9591E6294F902D35A1FBADA2EF5F1475E0DABD9D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452102Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:30.977{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=D8D82EEBDC4A53D4176E80DA99DC174A,SHA256=3838BEBE011D12178BF0FF82F7CD3C5A058BB86D52739CF684090D0CCD81DDE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452101Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:30.976{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=FD9027EBAB92513B1B4C72652E555AA9,SHA256=7A1F1C01FE6D72C214696E930909DC31B45F7D09F25BD6063AA6643E46BFEF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452100Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:30.974{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=7BFF060481917EDD0E60C08DDD721BE5,SHA256=E7948AA186C8CE67A4F8EFEBE31F21D4F6F51AB2D51AED2C82BBCA0D9321A50F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452099Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:28.680{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54496-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452098Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:30.378{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452097Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:30.096{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE5CC4F001C8BA657F97466FF76E0FF,SHA256=DE4DCDEC21CE5D0315FDA8BFF7EE2C419895479BB0650EEBA096F270528BFEDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452106Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:29.810{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54497-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001452105Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:31.142{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A94E134B0C7593736AAE3971A647A2B,SHA256=F75F6C61D68E1B723DEF43F9AE8D80BA951CB1B89A89E1F591033AB4F9AD0DF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:28.322{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53856-false10.0.1.12-8000- 23542300x8000000000000000397277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:31.078{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:31.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F6EE23FE1D355954B165746B57DC38,SHA256=7C1515472CDD368670201BC4C17E56A94C3D178A1C2C5C6898428130FF7DB9FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452107Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:32.174{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C616CF6F43A8F10F52E6D6345B99836C,SHA256=1F266355B02D352421400564D7B3B321BDD9C11BAD6C5068A1248B13027389C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:32.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DD1642C5BC7F52BEEB5FD3F6344DF5,SHA256=BE254A5E3F2E7D361C10EE5E5BA7153518BB576677D173988B51E7421B5C6187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452119Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:33.908{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2F309CDEBC3E61C821203A7CF4FD6415,SHA256=70575C4C2D45A7B5484676AEA9975D7293D80A9AC2DCC1E1530BE436B7968681,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001452118Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:23:33.370{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001452117Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:23:33.370{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0147e3a2) 13241300x80000000000000001452116Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:23:33.370{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77198-0x91c62cd9) 13241300x80000000000000001452115Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:23:33.370{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a0-0xf38a94d9) 13241300x80000000000000001452114Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:23:33.370{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a9-0x554efcd9) 13241300x80000000000000001452113Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:23:33.370{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001452112Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:23:33.370{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0147e3a2) 13241300x80000000000000001452111Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:23:33.370{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77198-0x91c62cd9) 13241300x80000000000000001452110Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:23:33.370{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a0-0xf38a94d9) 13241300x80000000000000001452109Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:23:33.370{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a9-0x554efcd9) 23542300x80000000000000001452108Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:33.177{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD32BF4A3C11420C43CBAF4F8F3E7795,SHA256=C7B948E12A6B92FACADC2A40B74E2A059FE21F7605E7F7003B61365D34927006,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:31.260{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53857-false10.0.1.12-8089- 23542300x8000000000000000397280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:33.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933D63389AFFDE492E09915138A78E45,SHA256=44180E8D9CD4CE67EA2BBDC875B5AC584618A396E8831988DC842E5CE871432D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452120Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:34.192{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACBF65A7BB0BB170A25BFF8DDC89ED4,SHA256=ED9187E4A30757870687AF57110518CE66EB70BC821EE9B6BFAE720FD421F208,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.828{7F1C7D0B-07D6-60E3-610A-00000000D401}33441092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.640{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-07D6-60E3-610A-00000000D401}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.640{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.640{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.640{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.640{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.640{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.640{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.640{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.640{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.640{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.640{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-07D6-60E3-610A-00000000D401}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.640{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-07D6-60E3-610A-00000000D401}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.641{7F1C7D0B-07D6-60E3-610A-00000000D401}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D882AAE080C8CD0573894FBF6BB68623,SHA256=B3474F5B6C06646D8A0473DF46B66ABAFC9ED726379E2D23A3AFB68415802B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452121Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:35.238{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89161FBB1D0010CFE0D6F31F586D094,SHA256=F3C6BEE2F059113847F5C8E8D4000ED83FDEF905B7AF01008663A3CCF3004486,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397325Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.984{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-07D7-60E3-630A-00000000D401}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397324Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.984{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397323Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.984{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397322Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.984{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397321Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.984{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397320Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.984{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397319Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.984{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.984{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.984{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.984{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397315Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.984{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-07D7-60E3-630A-00000000D401}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.984{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-07D7-60E3-630A-00000000D401}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.985{7F1C7D0B-07D7-60E3-630A-00000000D401}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.671{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C2B6A189ABD8F5F16830830262F7CC6,SHA256=0CB717F8EE85248C19C67353169F10F7737E7909FC6613599EF805B6E71F0392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.671{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7811A3D7A26149788410EE8D24FCADA6,SHA256=CDB550E8C9D1693FC8FE530840579468AF87A506B73678E7E166462750823DA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.312{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-07D7-60E3-620A-00000000D401}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.312{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.312{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.312{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.312{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.312{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.312{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.312{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.312{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.312{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-07D7-60E3-620A-00000000D401}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.312{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.312{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-07D7-60E3-620A-00000000D401}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.313{7F1C7D0B-07D7-60E3-620A-00000000D401}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:35.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62587FB43F081A7CE579872C5B79D22B,SHA256=8AC49EE277B56343B3557CD725258B58AE326D585D4D6C5E92CAAF5BF9D2612D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452123Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:34.691{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54498-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452122Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:36.253{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36EC420058757F45B4E0D064CA83FF68,SHA256=D6BC8795540692C834BF63F644CC3D627306B99500541B99BD55855AEF862048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397327Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:36.062{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7C54F05F1061BC029B1F417570C459,SHA256=92B8EDBC76A4BA9911C00024317F50DC2D01FAEC327DE8EA8D2EDE887902C3C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397326Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:34.306{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53858-false10.0.1.12-8000- 23542300x80000000000000001452124Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:37.270{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C613DBAB979EBBA705B797F0A14E9C5D,SHA256=02EF6903D10CBF198E3EFD01533FC7453D740B62BFFD43BE9003F5048C625E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:37.078{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=621CCFE5174A1FD68FB5721F9CDD8825,SHA256=EA2AFD3B5E1CF04E1313ACA444C15F7ABB7189D0C16198420A67FA610E9FE93B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397328Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:37.015{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C2B6A189ABD8F5F16830830262F7CC6,SHA256=0CB717F8EE85248C19C67353169F10F7737E7909FC6613599EF805B6E71F0392,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452128Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:36.711{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-46343-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 23542300x80000000000000001452127Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:38.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1208227BEDB9A03325FED58308B62F39,SHA256=D1F93F488A8D58E847E3341A0D664A6529C36DF38DC66617781B919E606569C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452126Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:38.488{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6D4D2B0D28264C911C02AFE9B6AAE68,SHA256=93A7A64139441DA408A5B3EE18D49C6733B2A5C94E5C1026548723A5D73594BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452125Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:38.288{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E78B03F07540D5FFB863F8D02AF07A,SHA256=A6E8AA022291A23063E3E5C0EEFF0E321BB08871ABD54EC88831B1AD8471D0E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:38.171{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE62C1952AE2A97CF2AC2620CC470294,SHA256=7CD9432FC97A24C5D288643804F344B9B8997E85CC7282030DCEA88A2B5C3C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452129Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:39.303{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19DA0C4E72EA5912DC46B8F105BFF14,SHA256=0F956D31A39D240D2618F521B2329834FBA7AB67F9A11EA63DD5EC1824D7B76E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397358Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.781{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-07DB-60E3-650A-00000000D401}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397357Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397356Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397355Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397354Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397353Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397352Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397351Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397350Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397349Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.781{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397348Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.781{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-07DB-60E3-650A-00000000D401}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397347Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.781{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-07DB-60E3-650A-00000000D401}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397346Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.782{7F1C7D0B-07DB-60E3-650A-00000000D401}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000397345Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.281{7F1C7D0B-07DB-60E3-640A-00000000D401}2876968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397344Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.187{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16931D991834F0E75BFAA331AAAE8BE4,SHA256=20B6EECBF51DAF6B655C0A6DC2629FC87D228867F92BD51D3EB3152468AB0599,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397343Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.109{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-07DB-60E3-640A-00000000D401}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397342Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.109{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397341Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.109{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397340Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.109{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397339Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.109{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397338Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.109{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397337Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.109{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397336Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.109{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397335Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.109{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397334Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.109{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.109{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-07DB-60E3-640A-00000000D401}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.109{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-07DB-60E3-640A-00000000D401}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.110{7F1C7D0B-07DB-60E3-640A-00000000D401}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452130Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:40.318{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8A10FB69B79E916D3EF33BA00EAE09,SHA256=C5676A826730101A2D346A2AA0AEA8054B302A7281D717A6C54CDE5DD2C17E65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397388Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.953{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-07DC-60E3-670A-00000000D401}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397387Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397386Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397385Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397384Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397383Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397382Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397381Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397380Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397379Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.953{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397378Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.953{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-07DC-60E3-670A-00000000D401}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397377Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.953{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-07DC-60E3-670A-00000000D401}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397376Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.953{7F1C7D0B-07DC-60E3-670A-00000000D401}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000397375Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.437{7F1C7D0B-07DC-60E3-660A-00000000D401}23082020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397374Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.281{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-07DC-60E3-660A-00000000D401}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397373Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397372Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397371Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397370Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397369Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397368Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397367Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397366Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397365Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.281{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397364Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.281{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-07DC-60E3-660A-00000000D401}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397363Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.281{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-07DC-60E3-660A-00000000D401}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397362Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.282{7F1C7D0B-07DC-60E3-660A-00000000D401}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397361Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.203{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1691920B0D346C9C8FC4A9EB2D429DEA,SHA256=886FEDBAB4A2285AF992FC49FCFB9B79ACFD8412276FD5BEB935CE2C0749F760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397360Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.140{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58BA64F914855E3827632D45F0F137CB,SHA256=6B8B96F1D43C0A2DCC87F38519CCAEFB25024A5D6D3B3F09D531DD233910F457,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397359Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:39.999{7F1C7D0B-07DB-60E3-650A-00000000D401}40922888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001452131Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:41.333{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5891B85CBDF9DEAEE06EF417F2A00F9E,SHA256=71B503070225A6622A943AC45A77F88DBDEE7DC7CA90C7A50FF72A7882F42A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397390Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:41.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=113345593B3D70167C9417AF08BCAF39,SHA256=9B5EA0BE0D6E20D439DEE5CF43FDBC98A5C1E7E834619FF9EA9B55B9913D5B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397389Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:41.249{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A40741511DD3D866EA7B562AEA201DD,SHA256=D2B2C741892A2CC65A1B7CF0EBB3E495FAD93415365A22280C2BCDF4F63BDA81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452133Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:40.454{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54499-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452132Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:42.365{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979022D03BD1C7C0CBC7276120661E14,SHA256=07131916D8E07C6BFA15BA07920947201A47DF1C5D20C822C3E0D0C6DD1AAAFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397392Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:40.322{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53859-false10.0.1.12-8000- 23542300x8000000000000000397391Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:42.249{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081CFB132E5AFF06141FC10ADAF184FF,SHA256=8576D95A90C1DE04A7A2F35021A45D35C1FCADD0E2455432BF29FFD34B8E6FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452134Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:43.383{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBBC7516E6ACF0E1CFDAC7CD0E9F809E,SHA256=EA7820029DF09F1B2BC829C14DCE1FC2C679D111A6517F72DA0E448A8B12EC0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397393Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:43.296{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190F63BB103C890D22985625CB20AC24,SHA256=DFFE3DAFE55FAFD70456E316FC26A5D069E8E31DD554A271BE93E919FF3E6B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452135Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:44.398{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9FE128C3D34AC207BAAC304FD37B90,SHA256=101165694200075E892298B6C72DEABDF517858DECAA94F22CD3ADCB63247081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397394Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:44.296{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87B88813C22A68A9A69F144535CEB21,SHA256=70D68890C2DA73EF2F9AAC5B529D57E1D663AA4F1C88C2148948280117C8C998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452169Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.896{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0120B8699DC8596D455C47373E843A9,SHA256=06777EC0E343ABF4CE538876572718A9646E9C807B0584A1FF54D220CA14AB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397395Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:45.296{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C10717DFF4B12F66E5769B86681F2D,SHA256=A0395FD5B9AFC1A3BF4E34E8A85235752F12BB34C438E48EE053AB12DBE80B1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452168Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452167Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452166Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452165Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452164Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452163Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452162Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452161Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452160Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452159Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452158Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452157Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452156Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452155Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452154Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452153Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452152Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452151Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452150Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452149Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452148Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452147Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452146Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452145Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452144Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452143Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452142Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452141Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452140Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452139Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452138Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452137Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452136Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.013{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001452170Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:46.980{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDE29795C66488B5BBC7A376A3EFB1C,SHA256=5407B451DEC889026E8FBAE8606CAF0D0E9A4AF5E691C6DBEE1CDDF7EB57C5E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397397Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:45.322{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53860-false10.0.1.12-8000- 23542300x8000000000000000397396Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:46.296{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E714E8EEC89D1E3452F28B0C631233,SHA256=0A77593145DF7F6239C0DB0E264AF73DE5F816E5EF0B7BFA8063617BDBF83D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452171Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:47.994{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587E7430974EE1B978B5656C2736E38C,SHA256=DD9DFE0CC6F08EBAFAA0B803E0F8B3B4573CC5810A9CE4A3991418E94176D105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397398Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:47.296{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BAA752C6A94F6DE231A6A92A3B949AC,SHA256=D08CAEB14494B78980456210ADDC19572BAD9BFDEA471E7985513F875214F0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397399Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:48.343{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA3408E13CB12E9CCA1B1A6B9E06ED4,SHA256=572C61D2779A68B96AEACD67FC8C7334B967B5492BA440DC3FAD6E435576981B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452172Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:45.664{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54500-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000397400Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:49.343{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6391DB87D8146F717C9FB906BEE68CC,SHA256=51A1F8E2843CE32110BE0158FE5043A1FE48D8C4F9353973FF0F8D3CDF9CB2F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452174Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:46.708{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse74.120.14.53scanner-07.ch1.censys-scanner.com55648-false10.0.1.14win-dc-201.attackrange.local5985- 23542300x80000000000000001452173Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:49.009{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B079330E89085D33CC23376FBF91F3B,SHA256=FDA0E656EA8F789F1F2EFDD2504116B15EA08F8C0AC241A7544C60860F70334A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397401Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:50.343{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368CE02EA2AC5E024B7C44300116570A,SHA256=4A6910C2F8EFB5ECA18EAC63D1F15E89794405C0A0A4B2660CE7C00F5D6E1AB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452176Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:47.841{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse74.120.14.53scanner-07.ch1.censys-scanner.com57816-false10.0.1.14win-dc-201.attackrange.local5985- 23542300x80000000000000001452175Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:50.023{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65A79B2D678F55FDFB57E0B62161967,SHA256=852B4ADCC97C5490C8B31F1B8C3BB5BB606B4CE67E167BD6AA3EF1247954F04A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397402Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:51.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7EFEA52C18A57AB70C0CA81180F37E2,SHA256=61C8CA2A9E1A806CE923173E415C7B056FF705696C1D498E986370D821A0849F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452179Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:48.461{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63076- 354300x80000000000000001452178Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:48.236{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse74.120.14.53scanner-07.ch1.censys-scanner.com38334-false10.0.1.14win-dc-201.attackrange.local5985- 23542300x80000000000000001452177Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:51.038{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20E6940B4C411474DCAB6F9330C6A34,SHA256=619362A53972E981F5C070FBC484BADAF659744CEC011775289E170A85665191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397403Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:52.359{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E322E022FA63C9B6F137CF76263028,SHA256=8F534DB4F4DF82F758574F080902F279433B54D5B01EB59911980B454419EB10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452181Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:49.608{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse74.120.14.53scanner-07.ch1.censys-scanner.com44270-false10.0.1.14win-dc-201.attackrange.local5985- 23542300x80000000000000001452180Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:52.055{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1909C7B0D1784184446D660E9C47DA4E,SHA256=30F63A4E554884BBBC8416229A11E0FAF80EEB514D5400D5B4E24618B6B9B3A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397405Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:53.374{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2114AACB17029C6ACFA2B1E1E92E3EE,SHA256=B2A92D795A54E0F42740AB43DE2895309DADE0B60A154D414784F16AE7C5B493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452182Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:53.057{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A6DC33FAEF42F991FAB1C07ABB792D,SHA256=C005953EFA8230771FF6AAB445EDC16AAD61874772A78111E0E9946EE9E507AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397404Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:51.307{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53861-false10.0.1.12-8000- 23542300x8000000000000000397406Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:54.531{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3615DA6C75C2FCB720F81577CDFB5A98,SHA256=D8597C7AC889B1A0065390F26DB4D112C7B254B1A3B2D830A7E8CDA53BD9D0F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452184Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:51.642{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54501-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452183Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:54.072{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22401FC06E1641B2E10696F6CE316B51,SHA256=9896E712E1F59F2D72FC3AD62C20E7D83C7A89F64BF5F51AB4DBC4CF5ACEDD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397407Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:55.531{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5FA46EF3EC124CB75EE06C84DF5686,SHA256=A245F9CC0F05A90AB1E413D9C27FBA15388309B1FFA59C245F73C3A5A960F7C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452185Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:55.102{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E49AC0DF2F554909AB88378F0641F08,SHA256=5208A2586B97C46A821974822692DB20EC2347ED09B3BB26E13DECA987513B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397408Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:56.531{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8AF56BCA7C0783C3AEB39292EB7CAFB,SHA256=F66F6F8BD2DBDA25204D40D3C981A604CE45C21DB67561775802A9CAFF149332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452186Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:56.117{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE115EE5BB294D6A418475879634B7B,SHA256=ACE5961E43D97B3073E10F6AD6FF68083958C4C0651ECFB76802CEBE0275EF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397412Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:57.531{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE290B8B7A8EE49F9B0948B7966C5C4C,SHA256=0BA55DF66FDE1B56E9F6C401B6BACE66C1A58BB2EB2C5FD1572F8BE2CCA8CC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452187Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:57.132{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215EACB6DE9613FD1F84F9FE4F3F8D89,SHA256=DDF09A5CFF3B121E45755CCFB06B91D72D6F2DB7BE4BAB342CDC5AAC9B1AB376,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397411Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:56.064{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-58937-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000397410Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:57.171{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD8A62F9B932B48AF20BD77E924B0BFA,SHA256=E43CC6CC42E4033B21A36DA86F493754A8325B33C2358B9DD28532CF98E77F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397409Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:57.171{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA6FEE586FD9CBAE250AA91AB6158DC7,SHA256=3B7A340CD06F98AA83CEDB870E466DEE3E7EDA30A63B05727769EC4266CB547B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397414Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:58.624{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143C99834094548F232E723C7298F781,SHA256=0B813958A4F60DC8F5A82E9A2BA887D047082C4B8F98412C50D102A34529B2C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452189Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:56.652{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54502-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452188Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:58.148{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B50FC6965DFC484E58DA892A1EA88F7,SHA256=0797A15B7CAC0449C86EF5A29D9D2CF96846535D7E7CB1E80443E1EB1EB0CD3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397413Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:57.228{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53862-false10.0.1.12-8000- 23542300x8000000000000000397415Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:23:59.624{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF70A6C2736C053528FF832CFBA1D1F3,SHA256=348A07A8AC02414867B6379AB2270DAF2A8AB9E7944B2EA6E5ACF6594EB8F320,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452207Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.882{D694AEB8-07EF-60E3-F30A-00000000D301}62685132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452206Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.729{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07EF-60E3-F30A-00000000D301}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452205Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.729{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452204Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.729{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452203Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.729{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452202Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.729{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452201Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.729{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-07EF-60E3-F30A-00000000D301}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452200Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.729{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07EF-60E3-F30A-00000000D301}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452199Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.730{D694AEB8-07EF-60E3-F30A-00000000D301}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452198Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.167{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB793255388F3A413D79D62F36CA771,SHA256=B5419B02C4B3E2194C632101284EE046D55D513C0FCC265F8D2014556EFAA44C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452197Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.067{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07EF-60E3-F20A-00000000D301}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452196Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.067{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452195Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.067{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452194Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.067{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452193Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.067{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452192Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.067{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-07EF-60E3-F20A-00000000D301}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452191Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.067{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07EF-60E3-F20A-00000000D301}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452190Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:23:59.068{D694AEB8-07EF-60E3-F20A-00000000D301}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397416Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:00.718{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A35F3DED6280A52EFC7031FC6C57682C,SHA256=1E22B48FDB3704A70811BDDD44C0B35A1E5C6643A839625F4DAF6BE1EC58559E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452218Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:00.414{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07F0-60E3-F40A-00000000D301}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452217Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:00.414{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452216Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:00.414{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452215Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:00.414{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452214Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:00.414{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452213Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:00.414{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-07F0-60E3-F40A-00000000D301}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452212Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:00.414{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07F0-60E3-F40A-00000000D301}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452211Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:00.415{D694AEB8-07F0-60E3-F40A-00000000D301}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452210Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:00.167{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92A834844214C647EE658A334EA27C3,SHA256=BB607461E635E55C00B13E6FEDB48B53E9E1CE8EFC62DBA8A0750B223946F6A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452209Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:00.067{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3615C4493B332E7C37B02AD115C7D52,SHA256=3C742EF77E9BE97C9FA151FE2A381A1E947F9D3F1D5DE08FF1EE175734AABA85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452208Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:00.067{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1208227BEDB9A03325FED58308B62F39,SHA256=D1F93F488A8D58E847E3341A0D664A6529C36DF38DC66617781B919E606569C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397417Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:01.749{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB1E9BEC2668A0F492B3FC2C577F994,SHA256=74648692391D0E284BC54C5B061A069809F08DE23B7FE45DAD80E8E5C6BDD694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452223Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:01.947{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001452222Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:01.947{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001452221Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:01.947{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1485345.TMPMD5=7CC92A355EA66A219E3148903E63F654,SHA256=CDE288AC5D74287BFA2D9257B236405535586530C59E6CD093A4AD9FE7326A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452220Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:01.428{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3615C4493B332E7C37B02AD115C7D52,SHA256=3C742EF77E9BE97C9FA151FE2A381A1E947F9D3F1D5DE08FF1EE175734AABA85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452219Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:01.197{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1608028BCCDB47CC3270D0F62013A0D,SHA256=4ED8ED5F35ED216B2141E28F15B0D6AA3E49FBAF2B08C60FBB08B32C21B05B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397418Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:02.749{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8BCC5A6038CC0B9F6736EF5C0464F3,SHA256=550B3082AFC9FDE06DE1D4131814FA41C440614EEADAE8739C49E7227B2A7ACA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452232Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:02.926{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07F2-60E3-F50A-00000000D301}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452231Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:02.926{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452230Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:02.926{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452229Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:02.926{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452228Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:02.926{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452227Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:02.926{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-07F2-60E3-F50A-00000000D301}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452226Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:02.926{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07F2-60E3-F50A-00000000D301}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452225Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:02.927{D694AEB8-07F2-60E3-F50A-00000000D301}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452224Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:02.211{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A4009D0C88E88AD3BB32DC865EA09B9,SHA256=D2F67E60B8E58C2B65E242CF980A3A96364497FF5FC8AB4010C2DFEA66939E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397420Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:03.749{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05BDAE69C9309E9E787F12C1119F500F,SHA256=93DCCE654DF931DED70DEC35BB6E65839658D8E4FB1D258A043AE81D301806DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397419Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:02.464{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53863-false10.0.1.12-8000- 23542300x80000000000000001452245Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.928{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E61B57B792DF4E4C7FD3EADC5049F96,SHA256=A7A2004FDA23BD660245F7D06666E13FB7CCF0ECA320E23D9F448CEBEC639B55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452244Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.747{D694AEB8-07F3-60E3-F60A-00000000D301}46764504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452243Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.594{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07F3-60E3-F60A-00000000D301}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452242Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.594{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452241Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.594{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452240Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.594{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452239Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.594{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452238Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.594{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-07F3-60E3-F60A-00000000D301}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452237Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.594{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07F3-60E3-F60A-00000000D301}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452236Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.595{D694AEB8-07F3-60E3-F60A-00000000D301}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001452235Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:01.695{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54503-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452234Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.226{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC66742AC5FC26D2C1447A88A29B9CB,SHA256=84AFFC0F8B8F3642F1560A2ADA609344CB06C01707C3F3AB17EFBB82642942E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452233Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.079{D694AEB8-07F2-60E3-F50A-00000000D301}59926324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397421Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:04.859{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF850B66258F250F6438A99482510C7,SHA256=7439D2703D5242CADE56820E30D0F0977FAFBE8972328438D148E37F1D3FE881,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452262Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.961{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07F4-60E3-F80A-00000000D301}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452261Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.961{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452260Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.961{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452259Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.961{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452258Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.961{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452257Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.961{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-07F4-60E3-F80A-00000000D301}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452256Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.961{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07F4-60E3-F80A-00000000D301}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452255Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.962{D694AEB8-07F4-60E3-F80A-00000000D301}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001452254Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.278{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-07F4-60E3-F70A-00000000D301}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452253Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.278{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452252Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.278{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452251Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.278{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452250Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.278{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452249Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.278{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-07F4-60E3-F70A-00000000D301}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452248Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.278{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-07F4-60E3-F70A-00000000D301}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452247Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.279{D694AEB8-07F4-60E3-F70A-00000000D301}4276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452246Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:04.247{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D5005400B51A26BE1DC22E2466A23A,SHA256=D673512692C90FE9E632A2C20FA03CEC6B72D7F1319BBF13DE2B0FC7C0D789EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452267Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.278{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54504-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001452266Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:03.278{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54504-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001452265Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:05.292{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEAC11F0A421DDB69F74636E004DEFF5,SHA256=403D519EDCE3EFB02A6D146C1E7B2FE30039E37891EC6E99B093F14FF0A1F902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452264Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:05.261{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688C0B54C718AEF025BA769C6D096A20,SHA256=79DDF3E459A78C02611C71661CFDA2A1404A6C60D3D52B4B1EDDCA620AD37B98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452263Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:05.124{D694AEB8-07F4-60E3-F80A-00000000D301}57126260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001452268Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:06.291{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED8F7D104F40D42736D97189CB75E3A,SHA256=3A758FFE86FA1531BF6E031F2E06F154666848BE48D959FE94242791CB73E14D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397422Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:06.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B1F254E217007440C7E48706AE4414,SHA256=857B057AEFC65B1DD30C6A2D444924EEB44A13911F5D270C1BA06832EA477EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452269Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:07.322{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CA08EEB3545EC08C32E6446EB545FB,SHA256=FFB20F8D034CAF1D72A1EC87E11F4E40EA0F9233962C1F41FDC6707EB399B1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397423Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:07.031{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2980846F278C35D5387CC8F1464368B2,SHA256=873D1241C679C82C82560A76FDBD22B9EC3FF78DEB69D6AB4A31066F89F92C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397424Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:08.046{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F444AA125C9EA11E1F4272ABE266FE2,SHA256=283F2463BEC00AC43F891EC4B4961A996F38EAAECE13BFC88FE75080045A7075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452270Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:08.358{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05586587543A74BDAA02687DB11EA1E2,SHA256=CCE0B53045EED82D7C6163B4AACA7D30AD68CA72E1E44F1B85CA159FA05FE5A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452272Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:07.457{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54505-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452271Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:09.358{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A856500721DE3F5651E977E835E8A0AE,SHA256=FF419D44A686E59657D52DA41DE2C7C7627DC4E376EC1F2C6415FE1456FD4579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397425Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:09.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DAE3240ADA7330ECB50FBB3A02C1E3F,SHA256=B0A34EA0C94E99A3AA91F5090769D58E05E1B10C82238DB55287D49637A51101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452273Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:10.388{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9B3DFBB05C15E53D9EB9D8BD4C047E,SHA256=1782C8E98F4FD1A324AC98ACAE0C3A798EB34F0D0B93BDA543FE05FBDA48EC6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397427Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:08.401{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53864-false10.0.1.12-8000- 23542300x8000000000000000397426Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:10.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D3D0531B678AD936691E61C3BA5A31,SHA256=7C79693AFEABDDD8DA3DE680B75BF752E3F431205C28F43924EBA02972DE6F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452274Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:11.388{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B76523B6D01DABC5A2ED2243B39CD7C,SHA256=549270E05BFB77321E7FBCDEEF735C735109DE598AB071445557C0C1801913FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397428Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:11.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C952EDDC89CBBF96FB9A51E5D35845,SHA256=89D6AA1865BD8C6FF3B8EFA8D30FEDCB4B64257890760243256512CF6FA648CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452275Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:12.419{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E97FCA724AA47D05BE75C4AE6B9EA3,SHA256=942FA4E51656012B69309067E2330A5826DF5ECB67733EC916C4E3EBDA588008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397429Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:12.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C476AF86DD1F524C026D08CF1BBE2A9,SHA256=A909408B3A726C265A10617CCF5E31F1324BEAB17E14BE8E52D4566833EA364B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452276Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:13.436{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=957E0B72348AF4A7D91F2325FE891CBD,SHA256=283BCFB9F21D5379BE31B25EE6601370274A69A42A8EF23803D71E8E62DCE336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397430Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:13.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B944261415CFEB33E5F22B6C136DF40F,SHA256=089CC0B8A95440DC6CE56B03BD4C49CF5D09A850C0721352C458CCE15E244955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452277Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:14.455{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34959085EBFEB96FD5C34AF76BA55CF,SHA256=847C8D590417586C8790951077C07BC9B736DC0751F92A86C2D15A8A98E5A619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397431Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:14.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DBE98C1702010DD4A75483719651780,SHA256=1A2117571AE1711918D5776923D7AF6CFCD574A58F068AE979362836FDF4E90E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452279Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:12.671{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54506-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452278Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:15.486{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9429E3217EADBEB6FB808A1618E250E1,SHA256=37573080BFD25A4D802D9B6B2994D7F4AD85A085094F3770C2450F3E3C3D604E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397432Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:15.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89AA5F8454A14508B57AE67DC8C9F805,SHA256=D5EE9AAAFFB79571051274E359BAB0DCEF42CD0420D42EF1B70D063797BA09B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452280Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:16.516{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2106C29FF448D0A6880024ABCCFF9357,SHA256=BCF874C10E09FAB2415FE84D9C038788DBD79CB76E7E2CE32B4D38A82BF897A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397434Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:14.432{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53865-false10.0.1.12-8000- 23542300x8000000000000000397433Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:16.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A764798DC601264DCC08B72776A5A14C,SHA256=351A90AD32E9532908986DF1F60E68A0F8C05574EDC16C41B20A77087CBF2CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452281Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:17.534{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64340A3718314BD8E8717124D726ADC1,SHA256=C9B2290E8FC4E9F7F78E83D844E31F4888E636ABBB7ECAAAEFAD9AC7E10063AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397435Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:17.281{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D694027CA3B7B9F694D1CFED8A3EFF1A,SHA256=BC7C9B89CCF69FE2E2D1D9DF7730254CBA54DDECE7BA2D72B6A86A1A326D29C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:18.551{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBC6CD0F1825A1B85A42B9A724A1868,SHA256=4CBBC3C078B6E52C352892C22FCB22A00779C6807D6DAEAB7028DF7FC3277415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397436Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:18.312{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB12A1CFA963E052A15BC8BA222DC9E9,SHA256=223C6F2B7A6620F3F87752ABCF79C4938D32E015F63DBD58CAD82571B8E1CEE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:19.566{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77BDEA6554D7443F624DB832AECA7460,SHA256=BBAA8EEA3C50A64F73238D1979A1AB0C4748A202DF5B194B7BCA7ABE96789837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397437Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:19.484{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CC02E285E8A715FA396F75255B47DD,SHA256=1F9F487C77F5A57DD3F0C71BBA9B5033AA881F12F44E281C76DDADA9B19EB643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:20.580{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2590F3B1E7D3502C7F881EB0A87754,SHA256=86773FA5509A0255616D3CEA6F45173EDD0D5DEFED0C80630BED6F3C735978D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397438Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:20.546{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AF585C2EB43C341199CA8F7FB5B832,SHA256=CDFB39DC43EF51DF299007BB6612BE7BBC61634663697ECF9DBD757E31965BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:21.611{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A188C823363EF121D51F27AB6FDBD093,SHA256=05E3E2F4DACCF39F29115B903BA97C40BF9F9F4561D24C11CBDB7675687EF180,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397440Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:20.463{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53866-false10.0.1.12-8000- 23542300x8000000000000000397439Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:21.609{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA0E8A6C9ED8E5E6EF07198AF5C22ED,SHA256=7BB243647D95CCB4A732A1D41D17B496F48EF950A2BEF49A20B8E76CF084D8C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:18.650{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54507-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:22.628{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2617F23034BA3097CE1C56234E706103,SHA256=FCF2DFA3A344FC17171F085D9811FBB8BC950804D6465E449C01EF318259289C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397441Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:22.640{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C178AC499C347EF30A68087C369B404,SHA256=BBF1906C7C28F480E3DAA8E99117349491FA3DD64C7B7619A485E8B175DF0C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:23.646{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CD25890AA4DF65928D28B53C76A232,SHA256=02C74CF86DDB9F19BA10A1AC814C98087DD3336893951C8AAFAEB4B9222937CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397442Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:23.642{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED883BCB1137F0ED9DB4B98BC515BF66,SHA256=6F28CFFD284DEFB37B8CE6C90A8EC29C2B082DD3F953732FA811113D7C458115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397443Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:24.669{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD50D73EE80A7595EF4C0EB0A77D6C17,SHA256=CCB1171B74E516827E027213074B660EACB8C6C780064AE307DFB13A93541618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:24.676{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52F9393C36020D6E742038E3C6D59C8,SHA256=625AD2342E08337D032D888FA741249A7038BB281B8F86714EA7FBAEAE745410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397444Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:25.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754761D6B21B3748149CB0ADED1AEA37,SHA256=240BC77B9B4DB913B521A780302E78FBD27848B696A52AD55C2F08CA05636BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:25.706{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4D9C58F8794AAE022D68320A1B97E3,SHA256=763A7BCB990466FDC6D82825D17A4C133CBDDE04A986AD578EC627C8FA7942FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397446Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:26.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6691307681D167C2B0A15D2A195C6FE,SHA256=5678D1714FC7B2579DB9DA6DACB71F575C5F4CC548FB3821615EFA68DD41976B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:26.725{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB140BDA89BB3C48524517D7A54B5F9,SHA256=D04B3C0A397DB3416C8F7D7C65A8C6E01DB7E4BA1EF0108541ACA30532C428F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397445Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:26.327{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=43FF4E231BB1BF82DCFFCA529F644EA7,SHA256=14AE9E1538DEE55D56BEF84F64176F6F12DE27C2F4EC058F077A5F408629B837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397447Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:27.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCA9CBF0B7B04104884378C4856595C,SHA256=62860192603DE5F7F2A2EB5EFEE0DF46FDE3A3CD1BCBCDC018062BAFE326C571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:27.726{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5103903C87EFD08F55CB7D5786B2A605,SHA256=4D508289478234EFB4ED11D08E08A81F8EA0853F2126D2963331FCEA21AD338D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:24.675{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54508-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000397449Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:28.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB3FA03784BAFDCE4DE457CD1999167,SHA256=98E9E6B6E85E0AEC08C01CCD8C197D564E3E0DD5E2D61E452FCDE489DD1786BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:28.772{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9504E42F12B07840E0C945D40443035,SHA256=40C7333035C1F05D14528B56C066E8D2804C818C4E51C4C355EA06529D95B952,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397448Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:26.416{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53867-false10.0.1.12-8000- 23542300x80000000000000001452295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:29.802{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D94B1CC4ADDBFF70DA863F2FF381797,SHA256=07313A97534FD10C044D571EEEA995AF62E906C68C816CE731A3188EA07A7623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397450Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:29.920{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1854C7E1AA3449BA2DFE721CA46ED1,SHA256=AD1C2CCD3304FFA9E02E5B31570109695059EAA1F033D3FF90ED8C5547889DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397451Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:30.936{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A9B3C8359CAA18CAF05384372E646D,SHA256=FBE1F4ADB83C38B799E74889B05C85889F066F130B71406DC042CABCB3034539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:30.820{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA5840F0814728FE0CB7CDB905B5FF7,SHA256=975C8B8619FDDDE567E3519B27CAAD3FD9CBDC53ADEF21003B57530673D46871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:30.402{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397453Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:31.952{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F2B4FFB5A47EEF18A81F40EF058F77,SHA256=F4E894F0BCBB8CB300D9F0959D005B3500B9A47CC90382A145FA4DEEA12011C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:31.837{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6A67384C9F179E1B94B08ADBDEB816,SHA256=E96BEABFCFD02830B04C9F6B21CFA0C6502C80C40868A558E09F1D842E7CF9D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397452Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:31.108{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:32.852{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969E196A502197006BCE8BF4F0151E12,SHA256=5B3F6AFD5905259C30DE943B08F55901CA0242604641F98DEB08DF8102CECA31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397454Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:31.291{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53868-false10.0.1.12-8089- 354300x80000000000000001452299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:29.838{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54509-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001452303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:33.914{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=934C024F7A3DBDB8E4181A52D464869C,SHA256=B9B472E3E9CCCD14B2A4A86946BD7ABFA4DBD3A79C679398B012F2FC1A38A0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:33.883{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47516EB3F8689B37A2829B401C2CD42,SHA256=B4103FDCB611C65716AB7B03B187BF42B69894689572E8EFC34DB1B36B01F54F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397455Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:33.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D81AF12F290B17A2C95616D933D54EE,SHA256=76A57CC2FCBD833D183A46197D75D351F8CC7357868F616B074FB91CE4418A0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:30.690{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54510-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:34.897{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B741142DB413CA763F85CE76AB963C,SHA256=F3BC4C167F83F13A5605B04367990EAF8D6C9C34A71EBE2AA4679DB172C1F757,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397471Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:32.416{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53869-false10.0.1.12-8000- 10341000x8000000000000000397470Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.844{7F1C7D0B-0812-60E3-680A-00000000D401}31361860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397469Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.639{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0812-60E3-680A-00000000D401}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397468Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397467Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397466Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397465Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397464Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397463Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397462Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397461Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397460Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397459Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.639{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0812-60E3-680A-00000000D401}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397458Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.639{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0812-60E3-680A-00000000D401}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397457Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.640{7F1C7D0B-0812-60E3-680A-00000000D401}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397456Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:34.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D378A9191E7497B4B95EB6B692951A9C,SHA256=75B5CDD9DD7A00FC8D7177BC196C6406F4FAB9175969D0C91E2CE5ACA58E75A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:35.933{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566EB2F20C6E7976D9E1D1FAD8A96C1A,SHA256=3DDFB2763EE7AAAC3743E6AB19994C44D23B51EE364FA4E67D19C8A43509B151,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397500Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.811{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0813-60E3-6A0A-00000000D401}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397499Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397498Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397497Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397496Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397495Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397494Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397493Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397492Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397491Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397490Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.811{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0813-60E3-6A0A-00000000D401}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397489Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.811{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0813-60E3-6A0A-00000000D401}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397488Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.812{7F1C7D0B-0813-60E3-6A0A-00000000D401}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397487Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=010CE474DAA48E5F8BF76325EEA58490,SHA256=BED5E5E43941DF5F0BD2014BC8EA06408063B618E7DACCFA22172E32BA8166F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397486Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD8A62F9B932B48AF20BD77E924B0BFA,SHA256=E43CC6CC42E4033B21A36DA86F493754A8325B33C2358B9DD28532CF98E77F3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397485Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.311{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0813-60E3-690A-00000000D401}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397484Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397483Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397482Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397481Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397480Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397479Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397478Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397477Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397476Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.311{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0813-60E3-690A-00000000D401}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397475Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397474Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.311{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0813-60E3-690A-00000000D401}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397473Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.312{7F1C7D0B-0813-60E3-690A-00000000D401}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397472Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:35.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6F118BDA19746EC167984C79AA058D,SHA256=22ECF99A0A7B4A56A371EAE428EAD43D5C208C429B901D762F94A60912B7359D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:36.949{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB09DDAB257F2221F846269F08DB5C1,SHA256=E10D69FD6110AED22A21EF7C4D1C55FAF0AF50F5D3B3BFA731BD025901F8DA3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397502Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:36.905{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=010CE474DAA48E5F8BF76325EEA58490,SHA256=BED5E5E43941DF5F0BD2014BC8EA06408063B618E7DACCFA22172E32BA8166F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397501Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:36.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C7A2AFA5BCC8F1F49561A38BE1EB6E,SHA256=5B2CA353368DB8260150403D84834396D4925D1C85CAD2F9149F21DDC1A69CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:37.964{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB965F26468BD8D58D3CE44612345802,SHA256=DB7E1AAF04322C816B3E65733DCEB3FEF619A80175DA422C422D4811CACEAF9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397503Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:37.499{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816A49D4B558EC5520808ECE77350957,SHA256=71C96CB86B2CE7131E47530189DE06AD0B99CDD1AE5090132703301529F25E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:38.995{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546D88061748837CF3E8BC5E473D03F5,SHA256=DE21563EDE38C7BFACFDAF57DC549F5932C32C9BA2EDBC5E2A86BCBD2D8B49B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397504Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:38.499{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857A7989F313BA41482A97B173A43CF0,SHA256=DFC27FF8C0F04A52CB6585A0EC48DC8420E12A6EEC4278B4259D468BEB8FE4F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:36.463{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54511-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000397533Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.765{7F1C7D0B-0817-60E3-6C0A-00000000D401}5282616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397532Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.608{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0817-60E3-6C0A-00000000D401}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397531Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397530Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397529Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397528Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397527Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397526Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397525Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397524Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397523Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.608{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397522Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.608{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0817-60E3-6C0A-00000000D401}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397521Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.608{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0817-60E3-6C0A-00000000D401}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397520Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.609{7F1C7D0B-0817-60E3-6C0A-00000000D401}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397519Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.499{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97700AC07530973ACA74098CC6836666,SHA256=289AE92936FEA755348AFE6A0498C12AACA57387EDF41AE88AEBF75F97FB3DBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397518Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.358{7F1C7D0B-0817-60E3-6B0A-00000000D401}19522908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397517Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.108{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0817-60E3-6B0A-00000000D401}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397516Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.108{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397515Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.108{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397514Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.108{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397513Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.108{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397512Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.108{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397511Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.108{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397510Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.108{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397509Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.108{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397508Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.108{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397507Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.108{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0817-60E3-6B0A-00000000D401}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397506Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.108{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0817-60E3-6B0A-00000000D401}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397505Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:39.109{7F1C7D0B-0817-60E3-6B0A-00000000D401}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000397563Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.827{7F1C7D0B-0818-60E3-6E0A-00000000D401}38482772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397562Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.780{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0190006B947AEB73008E4ED3F07D93,SHA256=B7EF30E446AA3A91837A89DE3CD0D05FE764491EC90789716CEBB5A31F0D70CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397561Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.655{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0818-60E3-6E0A-00000000D401}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397560Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.655{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397559Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.655{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397558Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.655{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397557Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.655{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397556Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.655{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397555Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.655{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397554Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.655{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397553Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.655{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397552Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.655{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0818-60E3-6E0A-00000000D401}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397551Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.655{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397550Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.655{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0818-60E3-6E0A-00000000D401}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397549Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.656{7F1C7D0B-0818-60E3-6E0A-00000000D401}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:40.011{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E40D5FA577FD18F9678C6E57C07966,SHA256=0305C5C8978402DB24B2A0B81520E4A172C8B47F479E78B510562944202B98A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397548Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:38.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53870-false10.0.1.12-8000- 10341000x8000000000000000397547Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.155{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0818-60E3-6D0A-00000000D401}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397546Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.155{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397545Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.155{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397544Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.155{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397543Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.155{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397542Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.155{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397541Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.155{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397540Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.155{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397539Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.155{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397538Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.155{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0818-60E3-6D0A-00000000D401}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397537Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.155{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397536Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.155{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0818-60E3-6D0A-00000000D401}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397535Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.156{7F1C7D0B-0818-60E3-6D0A-00000000D401}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397534Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:40.124{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C047C89EF030660500683FB999447CFC,SHA256=B8F0C4FAE5BC94E7BC0606FAAEE1612A11D264A95E4784B0A5F24115C18B0BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397565Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:41.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854FC11FA4C2B1A3CFD2272F82B9A22C,SHA256=902B4D0C93F2E4E4B2FDED2FC20F317C4A2BA5871F514168DDE3FA9C572C6216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:41.061{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4595471C3B1BFB28FB7639BDDAB4CA27,SHA256=C825D93675552BA8AFC251266517009508E8CCC6BB70B43A72F76C529F3D2C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397564Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:41.249{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=878A6AD868EC4575605CA0A70D3EDEAC,SHA256=B05C8989DF0E252B611320C05A90F26D23247694ED0C8FA8DAC45ECBF3FB0909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397566Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:42.843{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921EAC6C62B67F046849D91A1CA2F1F7,SHA256=22BABBAAA9B31EDE6023DA5943089FC388EE6946665E76477F2C15506031CAB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:42.075{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3EE458E59F441D3F0C41CD36C0DC32,SHA256=7CBAFCDD18A1DCA733B1BDE8B0F3ECC368472AE97C99A519247F88328D7FEEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397567Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:43.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1098F6F46ADF006070E418DD84759E94,SHA256=A12A93281E0D8C7B77804433CABEFDB71E51AA94333ED1EBBF1C44CDDC2EF5F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:41.680{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54512-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:43.090{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5C26F4626F7570AD29F7D593BD204A,SHA256=177DF9463E9892A16E21FBAC2C9EC017B1B747B2C5FB96E0763BCC843B1C9C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397568Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:44.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8866809913129D08CD56F082629E99F,SHA256=E3838134C329836BFDFDC99F05E5A0F1224234BE4C8D7AEDDF55A9D1EC6F41A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:44.126{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E40D9EF66A488118F7106FFC619BBC6,SHA256=BE25B46DDCDEEDCA782BBCC736AAEFB04E735CEB870E6250D3B9F7F1CA925F99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397569Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:45.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73A720D2FDB80F56D6EC4583A6A0CFA,SHA256=65B5A761312881B43FFB0438C89FA8179FCF05F2A0C3FFA664CDFC6D155B1F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:45.156{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D4F9D0AE26DAF9E4464FDA0E77352D,SHA256=0D3F8E77F46CA88AB0451DC47ADC95FFDB6A04CCEC9E5FC772EA5FE604883A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397571Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:46.874{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC5EB293252F12B2BF69F2563EDEACC,SHA256=E6DF3ECC909837D87F19B1C2B0E8BA6F0E45996E0D484B7EF717815C73087899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:46.186{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D2F6653E7B636D5CE87749B4DCF81C,SHA256=5C790AC7727A7623DEA6C95C09092F9F86988E76609BD0C8C0A8C5BEC218CF31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397570Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:44.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53871-false10.0.1.12-8000- 23542300x8000000000000000397572Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:47.889{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150954EC4CE0A2A1ED1C5BF292B089AD,SHA256=B6B458D72FC75DAB5A449766BCC476ACBC403D2133FA6ADD5C565C0E7715B640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:47.856{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=C348641D14670B1AF3839F74478C7472,SHA256=A7A8B6A05472F07A29534FFDEF46CFC9D2DF1B4A58416F3A31024C36F75DC3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:47.856{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=8B8A475A95849C989807ADF8715B0245,SHA256=279714F37423A7E9F58742BB6B5666A1C306F4383791CF1FA964BCADF2D9153D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:47.856{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=2E8BE04BEEDD8FB0DA90786E8D56E2F9,SHA256=8C12A2258B473E590842C06DE8C798FF6289A7A4616A9690F5F1EE7E4C365BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:47.856{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=5D0C8B8C42A975EC9B6F2B615C1D86AE,SHA256=96F9AED119CDADE5C4EE9124DC846C9DADB35F7422B11ADF20138DFF7D73495D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:47.856{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=1241B8BE021139A87A5BD7DDCFD45882,SHA256=2B7188B03197FFB3C9BF87621B466049859909FF97E72FCE8968B1FEE87714A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:47.188{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5A86D13F4B574EB25D7429A6D13F61,SHA256=F9EDFD977355480970792CD62537331EA189246C8DCFADBCA83BEB9661D1BAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:48.206{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B99759A4A23E768CE8B5B9F5137ADC1,SHA256=75BDB789341D54C71F3E71C97A9978A359C9ABB29F7941AAFB212536B92EA95C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:47.493{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54513-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:49.225{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80135183BE3D1F66BA74F46DDDF40D6,SHA256=F35AC5BC75E1867E35A40A111CA0E67239D248528847AA5FF7642289A0D59E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397573Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:49.108{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601ED4633E8F67642B757CBD1031E9B8,SHA256=ACD462A17A4A054C76EB441AFA2A91FBDA24EB88807C89BFD0A242CF1CBABB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:50.240{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09029D37E8E6258F58F2C88ABC0EA616,SHA256=B9F6E14905D2C5AD7D6B343DF48BD9390BF0EF74E10D677FABBBDAC9B155CAB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397574Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:50.186{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB76CA6A5A1E54F53DC8DE4C2EE3237,SHA256=8EE0187324FC241BED328EF0DA3C691CC39304B17B9733CDDC3F297B019ADB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:51.255{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFB3447221EB1EEC0A0E0F221E20B54,SHA256=749C01AAB270328635BE1A3155A26D09DB1C8AABA7AC8B175F9200CC9087A51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397575Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:51.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1832A09E1BCF153D8360A2EA0AA5D29,SHA256=D36C99509C84CAFD6F4143DEC3D804C8E1729F9CA29F20AC16B240AD7E223A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397577Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:52.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78DF7CBD12B77160A6EEB57A6ED787A,SHA256=CC2FA43834A0C272D2D9F66DF3EB6D5C1DBD9BCD36875A6C60A53C624641ED18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:52.269{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C39EA044ED9CDF6F2150E109B228EF,SHA256=4BAEB0510AF85C32566E2F66C02AF3534CC0B91A01C111F7B6452A3CF1AC4B8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397576Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:50.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53872-false10.0.1.12-8000- 23542300x80000000000000001452330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:53.284{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1568450E9FD1CD6F1854F4C8F597E1B,SHA256=21240FF19E6AFE38CCF920E60EA7AAB6E9BA78CB299E8E2F7978303E328E83C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397578Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:53.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D425C8FF37FDE4040B7497AA898B0B8D,SHA256=6974A68FD9B33269C78E4ADD151F49B5EBE31458A14C5D7B2AEC1D93EAE377D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:54.301{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1EB6AB5DE2D7A3F9C170190C4BEFDB2,SHA256=A22079405A33AEE36B64C145F74183049A2BCAA5EF0BB57E2203AE10A43BA564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397579Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:54.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529D215FA8AFCE233665EB856B2B1DF7,SHA256=D35ECD738C2D31045205C905DF34F818E6AC78B0522E8EFCAC68D8C9D01F4CB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:53.489{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54514-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:55.319{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A2B6BB77CDDD56CD7A05871B8DB8CC,SHA256=38E3460F8D19F6145AB91E51080474E1F024EAE9E46FC40DF148BEBE4555DB90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397580Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:55.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6E9007C1B7726E11C31F8ADDF3C8A6,SHA256=CBA601BE0C4B01EF96F5A6FF42B33601B163B0386CEDB9A44CC73231639FB247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:56.334{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A90880CF48527C4FEED5F768580D92,SHA256=0C1BDDCFC5DEF2BA70E86BD6426E3ED29BB44B244F0A94E8842B0F56D00F9A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397581Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:56.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42101A821B83D4188884A047165A4695,SHA256=8FE1B8B287136F8F20EF1E30AFDE013DE71571E7C43A584900667855E88032C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397584Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:57.405{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B73B75FB2C0BF55367FDD36158A7F4B8,SHA256=79E6F6C7AE4894574B99CCB56702A085399A640DD65AC1FFA6468C4E5296DBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397583Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:57.405{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A82CA4C643AD01263A049B64B273F4B1,SHA256=4CE742664D40074FE36ED6F785A6D5F5A581A0E5C740C5D24A3778BFF75468DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397582Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:57.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF2E88DCD57E4E96DA7178F9A104ECC,SHA256=ED812E39B6505249CD36D06E37131743327CDFACF3CF62F9DBB34382B57895C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:57.879{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=CE723D03967F64843061174EE0466E1D,SHA256=33E0618CA4022027E562BD3B011BF15CBAD9285EE8C380D672886CF8BB0E25DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:57.879{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=2C24D3C4FC221042728B53C1A162A2CA,SHA256=3AA117134CE74EF3B2017A9182F86EF1750C8125C3C89E58250EC3E85CE609CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:57.879{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=931B9F225F886507DE216F13853B341A,SHA256=8DCB2B4D35F8CE89AA9C79618FFD8A74CBA6CA343C7E4AB03A778843FE0A133A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:57.879{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=8C5EA462A93450B08BAF17BC2887BB05,SHA256=FFC7A2E07FAF4C023016EB1621118A78FEA30466F8B4A19DDEEBC28EE1DBBFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:57.879{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=7CAECA48B6C5FE26C6A27E15D291B472,SHA256=D8B657C2884B834E52A49F763B37ED9B694B1DE8DC5903B3CDA6AAD9CE98C752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:57.349{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D487A942B88F50C47B184C9BF5113149,SHA256=F30F220C8B9A7FC123CE408F91BCE409D89AF369348C6082143D603874CEE880,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397587Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:56.322{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53873-false10.0.1.12-8000- 354300x8000000000000000397586Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:56.310{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-60422-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000397585Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:58.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CAC6689F942F924EFDEFD2DDE2AA941,SHA256=5C1320E61910438C79B58B593BC34863A83F58EF5A452BD327809290CAB69E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:58.363{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E804D7407F82D379D1D0848EDF257119,SHA256=2D51EEE8743170481AA8ADAE8D2A224D3E51929DB242A65621EBD176CC550184,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.800{D694AEB8-082B-60E3-FA0A-00000000D301}71403336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.647{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-082B-60E3-FA0A-00000000D301}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.647{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.647{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.647{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.647{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.647{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-082B-60E3-FA0A-00000000D301}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.647{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-082B-60E3-FA0A-00000000D301}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.648{D694AEB8-082B-60E3-FA0A-00000000D301}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.378{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DB41F7DB705EFCD6D6F63DE6FC91EB,SHA256=FC59DAC90BA3C50F57BD77C29764F1B83C51F10A2045205A842221F97B919706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397588Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:24:59.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA47F42B697D3E46C9CE9C22766A25BA,SHA256=BEAF1D8685DB2B288DA3177EBBAD00842706DCA8BFD71F0B9B08A02DF2C89B6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.078{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-082B-60E3-F90A-00000000D301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.078{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.078{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.078{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.078{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.078{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-082B-60E3-F90A-00000000D301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.078{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-082B-60E3-F90A-00000000D301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.079{D694AEB8-082B-60E3-F90A-00000000D301}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:00.399{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC5163A1BCB4A0F65566E13814FAB19,SHA256=55EA69E9C9C2C92A2973B99DD8F5D417282E90EE3EF3270C87B28429EE50A829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397589Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:00.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28E9F7F1232B1852ED69C7C7D71F49D,SHA256=789360B6BB75EDBF1272F3A10A2B6150DD82F4D0FA85BE7CD57D5337353A8BCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:00.262{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-082C-60E3-FB0A-00000000D301}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:00.262{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:00.262{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:00.262{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:00.262{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:00.262{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-082C-60E3-FB0A-00000000D301}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:00.262{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-082C-60E3-FB0A-00000000D301}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:00.263{D694AEB8-082C-60E3-FB0A-00000000D301}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:00.098{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=918B2DA819C7A77F257B4F3617E19DA5,SHA256=9CB96AFE2ED141A309829AC2A8DCFDA2351A6E70057701209713FC6BC514EDC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:00.097{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36C1F28973196865DE58C979DAA477CE,SHA256=A35B0961FDABA6DB156145893EE43F86D7448052F05240484E6258B377351EF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:24:59.530{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54515-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:01.413{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A5D3369425799592ADD4312BF0F5AFC,SHA256=636028B28CBAF1196BD11524300E423A39EE5481D3743017E29E3A05F9B1C943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397590Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:01.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88FE647542B42E05C4769533EFCADCC,SHA256=16526A547C163875295111F2E6AA8247DE6AA125C059EC9BCE07D476FDAE3D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:01.276{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=918B2DA819C7A77F257B4F3617E19DA5,SHA256=9CB96AFE2ED141A309829AC2A8DCFDA2351A6E70057701209713FC6BC514EDC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:02.927{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-082E-60E3-FC0A-00000000D301}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:02.927{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:02.927{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:02.927{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:02.927{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:02.927{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-082E-60E3-FC0A-00000000D301}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:02.927{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-082E-60E3-FC0A-00000000D301}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:02.928{D694AEB8-082E-60E3-FC0A-00000000D301}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:02.428{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEA52779C06D9AD4F12E380C16DF88E,SHA256=9F75661F434B4DB0920B273791B31CA5C433108983E6512A9433D2F91A4BBC7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397592Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:01.354{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53874-false10.0.1.12-8000- 23542300x8000000000000000397591Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:02.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72E127EFC9AD892A9C40D918DC77FE6,SHA256=E96697E93A6BE003532D167740479802FE6BEB954BD9B8A10C3AD15542881965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.928{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF5501EF9D2C44BD64FBBF59F8DF9DF4,SHA256=483E4E825DC112D6524BC5ADD21D40A9B90C1A4014E347C13ED6FBEB3294D00F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.760{D694AEB8-082F-60E3-FD0A-00000000D301}52604316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.613{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-082F-60E3-FD0A-00000000D301}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.613{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.613{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.613{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.613{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.613{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-082F-60E3-FD0A-00000000D301}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.613{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-082F-60E3-FD0A-00000000D301}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.614{D694AEB8-082F-60E3-FD0A-00000000D301}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.429{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57F22AEE77331A1819C427F606B75E9,SHA256=1266BE4044F0E030ADF43A931FCCC898D2E344926230865248CB349B27A22202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397593Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:03.280{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBE617233373ADA20ADE72458D33B0D,SHA256=8246EBD150FF2D82C417D6F5F5818CF810D4E0A4578BF32193A06BD7076DDB74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.096{D694AEB8-082E-60E3-FC0A-00000000D301}21964704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.958{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0830-60E3-FF0A-00000000D301}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.958{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.958{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.958{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.958{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.958{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0830-60E3-FF0A-00000000D301}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.958{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0830-60E3-FF0A-00000000D301}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.959{D694AEB8-0830-60E3-FF0A-00000000D301}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.443{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDC3274AE295AA6F1E8501DF0667E30,SHA256=747F007707DD9A9E2A789963E64C407FC0340E8C6E7CE79017A65A92E0552C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397594Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:04.295{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B527F0F90D324EA5B4E4E1EB738529F4,SHA256=202AEA6D4379D3984ED201AD40AC88A23B784E9E827D1088D08CB0E16A67C164,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.275{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0830-60E3-FE0A-00000000D301}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.275{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.275{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.275{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.275{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.275{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-0830-60E3-FE0A-00000000D301}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.275{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0830-60E3-FE0A-00000000D301}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.276{D694AEB8-0830-60E3-FE0A-00000000D301}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:05.473{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B48309F14D8A4FAFDDD79B8E0837617,SHA256=C557CBF6237E03259D012D19B2C386FF4D6B0D62129A28747DB6EFBFDC135489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397595Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:05.296{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2964B4FD76F324F923AE0B3D38D386DF,SHA256=DE29C60243424CF577897E8C3DF0CADA44B23EBB651EDC2F49EDC984DB6702BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:05.293{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=804371AF7A8B4AB544E0D3FAAF518E33,SHA256=4FAD8FC75D12E0ED9583ABDED59787F200C4C666149BE92C615A2E36D4F83C63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:05.111{D694AEB8-0830-60E3-FF0A-00000000D301}34446852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001452417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:06.491{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD86547E09F070592ECCDB0B9D320108,SHA256=1988040063D52C7DA2962096211E70F6084925E2C523B55B12D2432EE54AF575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397596Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:06.296{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E390F1D12BD63119D181DF467628154E,SHA256=A0836237C93A035DE4A68BE29AC8E940134E4BB7D71FC3E810E0FE32F2F66D10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.297{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54516-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001452415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:03.296{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54516-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001452419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:07.508{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2FEE8D763C61C29C9EE6B679D6E332,SHA256=153C8C42DFEACA47267238A946E329A33D3746BCC675D3D0A7D0EA3EF9E2D072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397597Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:07.311{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4026DEA228DF4466C087CDEF48A738AC,SHA256=BD5A2D4AFB2C28734671A67B2BF31C96D9AF592B296CEAAE11C3A4B4100336B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:04.542{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54517-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:08.524{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9C56DCED314069F9CACE9B32C282D5,SHA256=7BF9AE8109C8C795AFBD69EE20D136C2259963814D600EBE7ECB4C241A01A537,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397599Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:07.355{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53875-false10.0.1.12-8000- 23542300x8000000000000000397598Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:08.311{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C304D03AF79942A1C4963E18F97DB95F,SHA256=6F3885064D23F06AC0A478F084BC60D3ACA22D231D1FCE9458113F8C5F732F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:09.539{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0EADD445C2160DE7B5C779C2810175A,SHA256=E0FD23461B8FDE4C45C5F64B65165E8BB3DB97B880B250D2D39DA1427BEAD0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397600Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:09.311{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A51F799D752FA08DF4432344238D88,SHA256=7EF05F1EBD0C419A9F58BC6DDF59558531316429E695653E68AC85CB9AA34D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:10.553{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15990606F98587AB4EA44D7FE3E25490,SHA256=BB137E2A6EFBDE34232A3BABE3B9B64DB8168BB01554F981FB716337EBA26AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397601Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:10.311{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01676ACB8C184B9D1EC82B91A0114DD9,SHA256=5D02B295619551302F2AB0DA11B5A67BA044E545DCE319203786A86E5FC49BD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:11.568{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37861264A6E188F1E19BAA82DD7245DA,SHA256=51349300F4A2B103F4A2D67C8BDFCEB350B416F31FBDB90050D1AB3F3B47FD54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397602Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:11.342{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE57541D7BD7FB4593E86BB73A817991,SHA256=BF384E98438F4E67A30FA5D431511750EA3CE03280B37206672903530B67EF2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:12.668{D694AEB8-D134-60E2-1A04-00000000D301}46644516C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 23542300x80000000000000001452424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:12.570{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B1BEAA61AF10760E23F42E9CA4985E,SHA256=BEE6A0610CA014889800F6E48B4B25BCA3641BA30DB764E2B1693C0EADB9E1FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397603Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:12.374{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF4FD2722052197F83858375940379DB,SHA256=8E9C07AA1FD6EA4F2B69E0AEAE0B4240D4C60986E7D7809F26478B07991FECC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:13.590{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9239E841C56F21FCFB391D4BA0107EF2,SHA256=64AFCBAABCF8A3C5B23644230ECDB0E1642D98A864B870257B1B2763EADC79E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397604Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:13.374{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507E030479A5F91ADE6B3C9358891C05,SHA256=0816EC5ACE46D3770AA0FD49DE7DE869A4BA14367817215B884161C54ED59200,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:13.137{D694AEB8-D134-60E2-1A04-00000000D301}46644516C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x80000000000000001452434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:13.137{D694AEB8-D134-60E2-1A04-00000000D301}46644516C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x80000000000000001452433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:13.105{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:13.090{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:13.090{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:13.090{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:13.090{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:13.090{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:13.090{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001452426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:10.558{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54518-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:14.604{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6229A893AB949FB8EE6735AABB0A444,SHA256=06EBAEDF5C7810B6C31C42BCFEFDD6179638B637F0B9415D644930B175E7DD92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397606Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:14.374{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2570098710F21E40472F857E75CEF217,SHA256=CBC9900A3530BC9DFB7CE320CE11658941959D7730F86F33F9658A5E5C59183A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397605Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:12.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53876-false10.0.1.12-8000- 23542300x80000000000000001452438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:15.619{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59681ACE4BE086A6FE03E17D93FAFE1,SHA256=F467DB04E6564073D266543D9E3CEC1BE43956839863FBBF46A6D326364ECA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397607Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:15.374{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09118B31A3CA83033B4BDC32B0BEB1D,SHA256=EF60F809E816A810B20A0B82F26387D305DF7CD5BCFFC0A2D4114F42AF939AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:16.634{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE144C3B29547020F8A9975B9ACE5A73,SHA256=002275342D72BD6814298077CE5C02F412F8E1C9D8C0EA36B47B6F4B557DDF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397608Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:16.405{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84383D2E46D9899A911464E5D39B035F,SHA256=2C500F4D3D035C9459172D53A33555299955F9706C550D342F6672AE523933AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:17.636{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F115DA04986BF7F61A55FF9F2DC99E5,SHA256=7B2B2F32929DD0382A1D9C0076B4C0891A9A394207453F9586DE2AE3402138CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397609Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:17.405{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B6DADB46E791B581963CB6C3F5E2D8,SHA256=A933863EBE175D0752E183B3AB15DBCF4D50818906365623A867D071899FB75C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001452440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:17.237{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-07-05 13:25:17.237 23542300x80000000000000001452442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:18.651{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD04572080718229036CAA8A47900CDF,SHA256=6DBC0C8E551F4DE0974E4602DD84C5D464799ECBA9F680A8D7621ECC9A1A425F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397610Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:18.545{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D7DCABCA5C5EA498B2D05272D74C47,SHA256=611CA3970CFF3C778529BED1273FB84EF48612FBD5B09A3919B7A06D6AF183AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:19.684{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9771634A160FB732B93DB9F8B515A1EF,SHA256=50E39336FE97A5557FCF85C9A1398A15E678B62C0BFFE47B6FE85CC9DE1A12B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397612Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:18.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53877-false10.0.1.12-8000- 23542300x8000000000000000397611Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:19.624{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E1C506BFC0923610980B3BC5F88C46,SHA256=B15DC36EF347EF645D547B00041C63C15033312EFE819701A73D4E3C1030D699,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:17.322{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.130-63208-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 354300x80000000000000001452443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:16.589{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54519-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000397613Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:20.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3017229C331DD690F232AD634164A6D,SHA256=63FA5A89D98F6FDFA306E37FDA13D9DAE125148B6F8A7E0BFD4AD5499161E908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:20.748{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A349B558B65A34A97407D9357436D793,SHA256=401CB20D00DA5BA6875313FFCEEFA44E1F08461191DDB7CE3B64F9A92261958F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397614Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:21.717{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD4A710B7E68DAE748750A2CD89A644,SHA256=A14CCDC01E3E9E190DD22D0673B89A752AF249ED4643C52F18D67E6E3CE4BB64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:21.781{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991A036145A16E134C9E6B9114D6D657,SHA256=5B1ED35F37D5D71C6B1499F1588A5FBBDE86D720396CE9B07DF37D4B7EEE4669,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:18.502{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54046- 23542300x80000000000000001452453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:22.799{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFF4524617C9F74850E8405461643A8,SHA256=8724DEDA5790C84EF4BB8B14EBAAA43880E5E67BE783EE3340C6EC653D9663BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397615Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:22.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6415E2EC337C19BED9074F9D7BF3F198,SHA256=86912C9EFBBCCC633047CE2FF2ADB7D9705C48B21885F092C9B959B2714F7F8C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001452452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:22.762{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-07-02 13:04:00.985 23542300x80000000000000001452451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:22.762{D694AEB8-D134-60E2-1A04-00000000D301}4664ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=00E407175D8520F670123061EC457216,SHA256=E49CBA46954D2F8FEEEF9F73D06B49487D11FE20AC40DA184BA26294A62B2885,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:22.762{D694AEB8-B3EA-60E2-1400-00000000D301}10401504C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001452449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:22.762{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\wd.ps1.lnk2021-07-05 13:25:22.762 23542300x8000000000000000397616Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:23.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EF3C391B4CC693C6AF8DAF429BCDBB,SHA256=9F10C8FA162C5F9B0F3B8EDE26ACEFADE0269A95DF55D82E4F28C37702455A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:23.878{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6958167A52B40E44E6C00AA56489B02D,SHA256=6FACA80FEABB60099B15F0C89B77F1D011F1C7F122782535373EA5915F947451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397632Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:24.937{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB84527F7CB889A02645558C32072BA,SHA256=BEEAA683FD2B377D40CF16C8451BE96E2084CDA20036FE44DBADAC562135D4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.914{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF3755CF7A2FED5BB6B986A04765126,SHA256=68670F2892CE1FED5A12B91309F03C8A0688BE6D7E55A9ED8F5D4A0CDE1746BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397631Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397630Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397629Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:24.359{7F1C7D0B-B3E3-60E2-0B00-00000000D401}6402620C:\Windows\system32\lsass.exe{7F1C7D0B-B3E3-60E2-0A00-00000000D401}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000397628Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000397627Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000397626Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000397625Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\LeaseTerminatesTimeDWORD (0x60e31654) 13241300x8000000000000000397624Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\T2DWORD (0x60e31492) 13241300x8000000000000000397623Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\T1DWORD (0x60e30f4c) 13241300x8000000000000000397622Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\LeaseObtainedTimeDWORD (0x60e30844) 13241300x8000000000000000397621Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\LeaseDWORD (0x00000e10) 13241300x8000000000000000397620Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\DhcpServer10.0.1.1 13241300x8000000000000000397619Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000397618Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\DhcpIPAddress10.0.1.15 13241300x8000000000000000397617Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:24.359{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1b10170f-aa22-4c60-a0f8-5e6443014593}\DhcpInterfaceOptionsBinary Data 10341000x80000000000000001452471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.645{D694AEB8-D134-60E2-1A04-00000000D301}46644516C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x80000000000000001452470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.645{D694AEB8-D134-60E2-1A04-00000000D301}46644516C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x80000000000000001452469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.614{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.614{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.614{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.614{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.614{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.614{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.614{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.399{D694AEB8-D134-60E2-1A04-00000000D301}46644516C:\Windows\Explorer.EXE{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x80000000000000001452461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.346{D694AEB8-B3EA-60E2-1600-00000000D301}1296300C:\Windows\system32\svchost.exe{D694AEB8-0844-60E3-000B-00000000D301}5836C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.346{D694AEB8-B3EA-60E2-1600-00000000D301}12961384C:\Windows\system32\svchost.exe{D694AEB8-0844-60E3-000B-00000000D301}5836C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.346{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-0844-60E3-000B-00000000D301}5836C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.346{D694AEB8-D131-60E2-0904-00000000D301}17165668C:\Windows\system32\csrss.exe{D694AEB8-0844-60E3-000B-00000000D301}5836C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.346{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0844-60E3-000B-00000000D301}5836C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:24.330{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-0844-60E3-000B-00000000D301}5836C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001452455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:21.615{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54520-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000397636Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:25.950{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD92FA001B84C6B62D620D1B5CB48E06,SHA256=9C476AFE40F9FAB28CC2AA5A1CD6518B1A0D35512E0B9E2D107F8DB3CAF53553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:25.929{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A6E68574553E1C4044B4D70B1E66BF,SHA256=C00E6C94227DA8CAA75D212D8997A2443A7319EB2CD4D6F08B21792C6B1143D8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000397635Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:25.809{7F1C7D0B-B3E4-60E2-1500-00000000D401}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a1-0x370e9b1f) 23542300x8000000000000000397634Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:25.418{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B6EE7B73531C44E636C26F5FB75278E5,SHA256=CABB52CA7F1C14881DD52F9699BD2B45FF54DFF5769CB2F5D31F322F91679860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397633Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:25.418{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9D6B46C1DF752F7786E410979FCD2341,SHA256=EFCBE5D6B8991443D7630811C20160495ED11CC2528819F2008A5D305458565F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:25.381{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DE211FE4198CB5B7C3E36E28D20CC10,SHA256=8B861E619A368A3A38EF0AC5529A409194B23749619FC27C215B9174C72D1E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:25.379{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D13ED02C940DE2E1B7B2CC5C59DE357C,SHA256=8DFB1D648C85C8FA1CE725D30291F859E40B936CB92F8721539FB219DFA9C8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397642Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:26.951{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB474DAB43AB03E8AD21C4029079055,SHA256=DDA09DA1E37EFB515F4B4F37BC2F53D0938DFC24E133740F6DF64CF96B68B7BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:26.929{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7236946718EE94BA6823B9840532798,SHA256=5FD8939112A564CCBE05AABDB7E881CEF98F9C8FA3F17217BC20DBF615F49E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397641Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:26.327{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FCBDF630062D0383F57020E2E4F5C16A,SHA256=A6654F7319989E407127E1DBFC18D49B630A7B04E0F71A403CA38F0FC9093F10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397640Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:24.578{7F1C7D0B-B3E4-60E2-1600-00000000D401}1300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9840:442:84cc:ffff-60282-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000397639Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:24.578{7F1C7D0B-B3E4-60E2-1600-00000000D401}1300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:9c76:6f2e:c294:e2b6win-host-884.eu-central-1.compute.internal60282-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000397638Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:24.558{7F1C7D0B-B3E4-60E2-1100-00000000D401}996C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x8000000000000000397637Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:24.354{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53878-false10.0.1.12-8000- 23542300x80000000000000001452476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:26.097{D694AEB8-FCBE-60E2-8009-00000000D301}5812ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=9D64437E63DDF5FB17A3FA37DF272A85,SHA256=395E1D59320B2F30276C51C619D4244393BAFE15888A96F73CF41DCC32FC2F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397655Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:27.951{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D528A9DD8255827A96EB0442ADCCED50,SHA256=6BD806F5781049C1F69D794BA7D1A81BE7D281B7301D040A1A1919E643973CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:27.978{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31445E4822FD042F2052247230A6A878,SHA256=E1F84567ACD67103271721F393A82F8B58FB2808533A4B08B88DB0E7CF179F20,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000397654Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:27.764{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000397653Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:27.764{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0149b4f7) 13241300x8000000000000000397652Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:27.764{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77198-0xd653426d) 13241300x8000000000000000397651Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:27.764{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a1-0x3817aa6d) 13241300x8000000000000000397650Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:27.764{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a9-0x99dc126d) 13241300x8000000000000000397649Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:27.764{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000397648Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:27.764{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0149b4f7) 13241300x8000000000000000397647Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:27.764{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77198-0xd653426d) 13241300x8000000000000000397646Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:27.764{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a1-0x3817aa6d) 13241300x8000000000000000397645Microsoft-Windows-Sysmon/Operationalwin-host-884-SetValue2021-07-05 13:25:27.764{7F1C7D0B-B3E3-60E2-0B00-00000000D401}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771a9-0x99dc126d) 354300x8000000000000000397644Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:26.056{7F1C7D0B-B3E4-60E2-1600-00000000D401}1300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-884.eu-central-1.compute.internal55318-false10.0.1.14-53domain 354300x8000000000000000397643Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:26.039{7F1C7D0B-B3E4-60E2-1600-00000000D401}1300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9840:442:84cc:ffff-55318-truea00:10e:0:0:0:0:0:0-53domain 354300x80000000000000001452478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:25.291{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.15WIN-HOST-88455318- 23542300x80000000000000001452480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:28.996{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A072BD508EFBABF932CE4AD82E11A43,SHA256=B3516E37782C6BD901124D80C032FD187183563293BE60409717E45625FC29A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397659Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:28.189{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-13129-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000397658Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:29.217{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3854F26E7FE8C1AF27902B4681C71EF3,SHA256=63F161529C7E4280D159EA1BC9FC41760BBBACD103CF9053471A8CDD12FA1438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397657Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:29.217{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B73B75FB2C0BF55367FDD36158A7F4B8,SHA256=79E6F6C7AE4894574B99CCB56702A085399A640DD65AC1FFA6468C4E5296DBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397656Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:29.123{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5798FBD1534340A3AD40A28E72B3F9A9,SHA256=D4D2FAFEDE67988FFC0252ADF0262DCC7ABBC6F804D8C025BCEDBC51B11C863F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:29.626{D694AEB8-B3E8-60E2-0B00-00000000D301}6566076C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000397661Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:29.370{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53879-false10.0.1.12-8000- 23542300x8000000000000000397660Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:30.154{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09EEE56D2C192D435B4152CD7D4C9EE5,SHA256=DB235DE412794E6DBD8B17C33F749490613E240CBBF3CE80E142FE5345BADA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452486Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:30.642{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F863238F7234391FBC127046355ABF5C,SHA256=9784778DB18EB357DA75D9A3077BBE856F681F5570A7E9D5E5C83F7652F7CC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452485Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:30.642{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DE211FE4198CB5B7C3E36E28D20CC10,SHA256=8B861E619A368A3A38EF0AC5529A409194B23749619FC27C215B9174C72D1E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452484Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:30.426{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:27.649{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54521-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:30.042{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B354FF20937325627F75F7CCD6D38C1,SHA256=C650B19F9C5F8492BA7582D1E24A6248B3FBAFCFDA4F5C513CF5E17754F1B06A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397663Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:31.233{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549DCE0A6C0FAA639A54CDD95B397815,SHA256=2E5B5FF4EC5EE6C4171CECDD42AD803DE8B326920B32C07B426D824DB61535AE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001452503Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:31.877{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001452502Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:31.877{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001452501Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:31.877{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001452500Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:31.877{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\LeaseTerminatesTimeDWORD (0x60e3165b) 13241300x80000000000000001452499Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:31.877{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\T2DWORD (0x60e31499) 13241300x80000000000000001452498Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:31.877{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\T1DWORD (0x60e30f53) 13241300x80000000000000001452497Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:31.877{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\LeaseObtainedTimeDWORD (0x60e3084b) 13241300x80000000000000001452496Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:31.877{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\LeaseDWORD (0x00000e10) 13241300x80000000000000001452495Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:31.877{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\DhcpServer10.0.1.1 13241300x80000000000000001452494Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:31.877{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001452493Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:31.877{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\DhcpIPAddress10.0.1.14 13241300x80000000000000001452492Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:31.877{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{53368657-c59e-4162-93aa-d47525447da1}\DhcpInterfaceOptionsBinary Data 10341000x80000000000000001452491Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:31.457{D694AEB8-B3EA-60E2-1600-00000000D301}12965460C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452490Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:31.457{D694AEB8-B3EA-60E2-1600-00000000D301}12965460C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001452489Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:29.080{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54522-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001452488Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:29.080{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local54522-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 23542300x80000000000000001452487Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:31.042{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E517F48E48BC18FA14D1C43FA1CE468A,SHA256=8E9EFF69E18A620077E239E9EEAD73FD0A6B1B5CB8E7FB9E95C3C675F482AEF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397662Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:31.123{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397665Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:31.307{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53880-false10.0.1.12-8089- 23542300x8000000000000000397664Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:32.326{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCF5D561644613268298606811C22C2,SHA256=E8230D9BF50C4F90F623B3B6B91C56C52F850FBBB05A7C2E482AE4904D282DD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452505Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:29.863{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local54523-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001452504Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:32.056{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366A231E0A8001220583464743B563C1,SHA256=A643BA6E31ACE71AD665C4D892B8CFFD5CD9823A3E71CF5AA3D97C1EBDCF3B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397666Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:33.358{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D4FB3949CF0690E7BC1767929BA52E,SHA256=1685C02D93971900530984F9639FC35368AE3A7EC3246DB3B265D70F28001EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452523Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.923{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D36A05BFE750BA3A2123D6650482CC73,SHA256=1F9FD0B44CF84E6740EE47B12B5471B1061F1515E4A079013AB9D764CC9253D2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001452522Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:33.907{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001452521Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:33.907{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001452520Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:33.907{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001452519Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:33.907{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\FlagsDWORD (0x00000002) 13241300x80000000000000001452518Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:33.907{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\TtlDWORD (0x000004b0) 13241300x80000000000000001452517Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:33.907{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\SentPriUpdateToIpBinary Data 13241300x80000000000000001452516Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:33.907{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\SentUpdateToIpBinary Data 13241300x80000000000000001452515Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:33.907{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\DnsServersBinary Data 13241300x80000000000000001452514Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:33.907{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\HostAddrsBinary Data 13241300x80000000000000001452513Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:33.907{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\PrimaryDomainNameattackrange.local 13241300x80000000000000001452512Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:33.907{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\AdapterDomainName(Empty) 13241300x80000000000000001452511Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:33.907{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\Hostnamewin-dc-201 10341000x80000000000000001452510Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.907{D694AEB8-B3E8-60E2-0B00-00000000D301}6566076C:\Windows\system32\lsass.exe{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001452509Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:33.907{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{53368657-C59E-4162-93AA-D47525447DA1}\RegisteredSinceBootDWORD (0x00000001) 354300x80000000000000001452508Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:31.328{D694AEB8-B3EA-60E2-1100-00000000D301}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-201.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x80000000000000001452507Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.108{D694AEB8-FCBE-60E2-8009-00000000D301}5812ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\wd.ps1@2021-07-05_132526MD5=A279A1CEC22FC13C30D4AEC8E147D7D9,SHA256=F06244A9B15474173EAF6CAA0FD084EA342392A45BD8347D6635C1C976D9476F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452506Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.074{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B21A3834791C6BD974839B212B65E0,SHA256=409AB18C8B58A98CA14B5D835B6853650EDB4D1FCEBD9F1FF742884EF07CAEF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397680Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.639{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-084E-60E3-6F0A-00000000D401}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397679Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397678Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397677Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397676Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397675Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397674Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397673Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397672Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397671Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397670Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.639{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-084E-60E3-6F0A-00000000D401}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397669Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.639{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-084E-60E3-6F0A-00000000D401}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397668Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.640{7F1C7D0B-084E-60E3-6F0A-00000000D401}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397667Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:34.358{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBABAF6E189265E244DA24064B13DA07,SHA256=883B54A0D04AFDC3F7B58B478827C2A5A3976F2CFCC909F02DBFA72CB353EA5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452527Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:31.508{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58960- 354300x80000000000000001452526Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:31.334{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:f870:1178:1b1:ffff-49498-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001452525Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:31.334{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local49498-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x80000000000000001452524Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:34.107{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDB7C72ACD13E04A9165A20B6CB17BD,SHA256=38EDF98A09A102D6B212A1A2AD587BB2B2EC011E9C74E4138B598023A064D9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397709Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A992D591059D2807074AF115CF642AA,SHA256=F3D16002E7C20825F52F59FD5A59DECCAF8B1FEF5536393C7337F2DFC08F7F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397708Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3854F26E7FE8C1AF27902B4681C71EF3,SHA256=63F161529C7E4280D159EA1BC9FC41760BBBACD103CF9053471A8CDD12FA1438,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397707Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.811{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-084F-60E3-710A-00000000D401}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397706Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397705Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397704Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397703Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397702Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397701Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397700Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397699Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397698Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397697Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.811{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-084F-60E3-710A-00000000D401}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397696Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.811{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-084F-60E3-710A-00000000D401}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397695Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.812{7F1C7D0B-084F-60E3-710A-00000000D401}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397694Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.811{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08CFCCD22F1997339085E2F0BDD3C6E,SHA256=3F031F6A80206326280B5680C36EB5CB969C7AA6FA2D405F9605C2D72A849D9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452539Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.373{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local59821- 354300x80000000000000001452538Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.373{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local59137- 354300x80000000000000001452537Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.369{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60835-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001452536Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.369{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60835-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001452535Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.368{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local57881- 354300x80000000000000001452534Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.365{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local60834-false10.0.1.14win-dc-201.attackrange.local53domain 354300x80000000000000001452533Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.365{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-201.attackrange.local60834-false10.0.1.14win-dc-201.attackrange.local53domain 354300x80000000000000001452532Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.363{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local63549- 354300x80000000000000001452531Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.363{D694AEB8-B3EA-60E2-1400-00000000D301}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-201.attackrange.local63549-false10.0.1.14win-dc-201.attackrange.local53domain 354300x80000000000000001452530Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.362{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local50974- 23542300x80000000000000001452529Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:35.121{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E5DE656ED01048D78C7D0B58B84785,SHA256=54A19860E19EBB40EDD3674D830C02C978B142CC4C566D61B23C55C98199C028,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397693Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.311{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-084F-60E3-700A-00000000D401}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397692Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397691Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397690Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397689Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397688Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397687Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397686Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397685Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397684Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.311{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397683Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.311{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-084F-60E3-700A-00000000D401}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397682Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.311{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-084F-60E3-700A-00000000D401}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397681Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.311{7F1C7D0B-084F-60E3-700A-00000000D401}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452528Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:35.053{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F863238F7234391FBC127046355ABF5C,SHA256=9784778DB18EB357DA75D9A3077BBE856F681F5570A7E9D5E5C83F7652F7CC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397711Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:36.936{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1861504A8D61295F58178491698604B1,SHA256=BA80F40C29925489DDD40DBBD7C8C1EABC5CCBD03C239BF7F4EFE8106F9EEC5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452544Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.643{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60836-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001452543Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.374{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local59169- 354300x80000000000000001452542Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.374{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-201.attackrange.local53domainfalse10.0.1.14win-dc-201.attackrange.local61858- 354300x80000000000000001452541Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:33.373{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local57090- 23542300x80000000000000001452540Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:36.136{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F42F04FB5F2D5F7909903DCC2E68E7,SHA256=7F04ECDC8FF5CEC8F0CB7BBDFDC9CDC08A15E88EB233969932047E5BDCC120B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397710Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:36.045{7F1C7D0B-084F-60E3-710A-00000000D401}18043676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397713Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:37.951{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FF884EE08C0231BB2D334B1211DEAA,SHA256=E756779D14D3A840B254B357C9155B18A22D5598C302324CA00292258D054CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452545Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:37.151{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88851C24E3E5A37F5860FC39CEB59EB0,SHA256=4DC7F57CE1F96481C69DA823AECC2830DC331623D9DCD023C301E061D68179F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397712Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:35.369{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53881-false10.0.1.12-8000- 23542300x8000000000000000397714Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:38.983{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131DFE3A8BB987946085793FDC820343,SHA256=5F1E4DB2D34E200E931ED863F3C428939F1AB9AA3A9B615A74982A2395D8E6A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452546Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:38.168{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CEBA237573B98A8D26A0CC51B975BA,SHA256=47511D75E57FFFC7F534A923151054B4728E631E5B2449FB613F34AC95205E8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397742Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.982{7F1C7D0B-0853-60E3-730A-00000000D401}3603244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397741Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.795{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0853-60E3-730A-00000000D401}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397740Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397739Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397738Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397737Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397736Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397735Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397734Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397733Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397732Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.795{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397731Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.795{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0853-60E3-730A-00000000D401}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397730Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.795{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0853-60E3-730A-00000000D401}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397729Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.796{7F1C7D0B-0853-60E3-730A-00000000D401}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000397728Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.295{7F1C7D0B-0853-60E3-720A-00000000D401}27763436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397727Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.123{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0853-60E3-720A-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397726Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397725Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397724Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397723Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397722Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397721Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397720Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397719Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397718Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.123{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397717Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.123{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0853-60E3-720A-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397716Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.123{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0853-60E3-720A-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397715Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:39.124{7F1C7D0B-0853-60E3-720A-00000000D401}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452547Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:39.186{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E483A083CFDB6BE30B316AE7BA5F9E44,SHA256=94CBB5D8B288AFF4041BF7C7B31B92C55B635762E9C301BB0C46BED0D202873F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397758Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.576{7F1C7D0B-0854-60E3-740A-00000000D401}21043968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397757Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0854-60E3-740A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397756Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397755Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397754Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397753Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397752Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397751Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397750Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397749Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397748Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397747Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0854-60E3-740A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397746Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0854-60E3-740A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397745Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.391{7F1C7D0B-0854-60E3-740A-00000000D401}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397744Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B175DBA043025B2D77D382EB7ED14A,SHA256=0065F08432E2F5C5556195C9ECAB1910CA52EA2EF95019FCCD1D03751186DAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397743Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:40.389{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A992D591059D2807074AF115CF642AA,SHA256=F3D16002E7C20825F52F59FD5A59DECCAF8B1FEF5536393C7337F2DFC08F7F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452549Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:40.202{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC112BB933A31377A092FEFFE92C28CF,SHA256=5AAF39DB0115ABD07B1705F0C2432F43909B37662716C141D274FEF54A74A8CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452548Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:40.118{D694AEB8-FCBE-60E2-8009-00000000D301}5812ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\wd.ps1@2021-07-05_132526MD5=677025C4C7A3D99A6B9558E3A7939755,SHA256=06E35CFDDB6718850CECC89E36E3C696517AD855D6EFD4DCA562D6F8CDAE98F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397773Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.529{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AB408EF22F00DFAC1D874B77B94E58D,SHA256=69BCDAF13454A8B20061D38F8BAACD28696131A1D2941C7151E5D1F0FC1016FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397772Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.529{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA01E21BB403BE164F2060C0904D6250,SHA256=B2A3F641A754D05C4AF65D9C1021944C32E5B3808934481EDC8CFAB5E04C9DA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452553Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:39.670{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60837-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452552Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:41.432{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90F28959267F0B611A68F167567963A0,SHA256=A0391C45ED1B3E88F370D6F8B732D274C3B637C6F36B4A28569F9D539D2889C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452551Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:41.432{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=398A590FCE64BBC1D78DDD0C323984FC,SHA256=E425DD69E9AA8041978223723E6EA3ED8FB2B060343AD9B36129BD15128F413C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452550Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:41.232{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFFD2D285F794CC467906F196446E02,SHA256=A1FE5171018D8A87191AFBF34E509F253D12D64E2CAC2085D6E7355172F10611,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397771Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.061{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0855-60E3-750A-00000000D401}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397770Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397769Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397768Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397767Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397766Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397765Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397764Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397763Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397762Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.061{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397761Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.061{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0855-60E3-750A-00000000D401}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397760Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.061{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0855-60E3-750A-00000000D401}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397759Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.061{7F1C7D0B-0855-60E3-750A-00000000D401}1756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397774Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:42.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF1962FE867945F3C7A65A31AAD80B3,SHA256=E96A1A81906984A4E77287C4B78F85A22DE415A194CC3F47441EACA5E235898E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452554Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:42.266{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CED4997682561D456646780BFD60F58,SHA256=EA2823B579737F46A9C63B2A3D151996B7203D56B4F0A699EAFC2BBB50CFB762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397776Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:43.795{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01A905F68F8718F37E7DFD00149976D,SHA256=527708EF81FA65AEA06938576AB19C52EF6697B2AC81D1100FC644949BF8499C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452555Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:43.283{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06C682BAE48FDF0477612F866C59AA0,SHA256=0ECF11D35537801F748C804FEA1023424DE7E468174D511585D563C3AB77B5DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397775Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:41.400{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53882-false10.0.1.12-8000- 23542300x8000000000000000397777Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:44.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCFC8A8C6CDAA23D716F1880DEBD27C,SHA256=06FF7DC5B9652547931C4905952C5888C0DC65B51A23C623CCECD365435F0F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452559Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:44.762{D694AEB8-FCBE-60E2-8009-00000000D301}5812ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\wd.ps1@2021-07-05_132526MD5=7E8FE9B3C3629F87F77B166A4B6D275A,SHA256=C74E508CD9234C6515B08CC51EDEF901ACCABF8F41BFC8654245225CEE6D30E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001452558Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:44.743{D694AEB8-FCBE-60E2-8009-00000000D301}5812C:\Program Files\Notepad++\notepad++.exeC:\Temp\wd.ps12021-07-05 13:25:17.237 23542300x80000000000000001452557Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:44.743{D694AEB8-FCBE-60E2-8009-00000000D301}5812ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\wd.ps1MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452556Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:44.297{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442C4CBD61D4F7ED1C945E45C7EA9AA2,SHA256=E9F90A63677D5C2ECF56CA1766429D3A29E1BFEE980230D76039349D3EA95303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397778Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:45.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FBA99940177C534C6A8A0260A4A408,SHA256=52D47045150E7F414EFA5DCBDD9A58FB22979145B7544F4A035860227619C535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452560Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:45.327{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7082BA8E7B9860CE72694DE44B3B44,SHA256=319D5BFEB3960F1D920C90B562D253343E6AC8957C90C254340A53C29AACE123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397779Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:46.982{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19376941FF67135636EC216B1D1B2A5C,SHA256=7836F5EAFA78F343B3FB8B3290E02450049AD0C3E63CA8427871B15279E84F69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452592Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.560{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5C36ECDF4885B709898F349E2AB746,SHA256=C9C285E630BBE0B4929B492440519B879EE1736DC87AE4825CC6905830CEB097,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452591Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452590Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452589Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452588Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452587Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452586Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452585Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452584Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452583Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452582Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452581Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452580Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452579Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452578Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452577Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452576Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452575Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452574Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452573Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452572Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452571Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452570Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452569Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2500-00000000D301}2804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452568Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452567Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452566Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452565Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452564Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452563Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452562Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452561Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:46.027{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001452594Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:45.695{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60838-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452593Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:47.641{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A401238709F9E355D835622A76D9B8,SHA256=AC13692DD2CF7B46ADD89B5FFC923ED541C25A1682BB33B311E7C946FFEB6B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452619Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.662{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CE29219907A765DB60C31CF764C0B2,SHA256=89050ACCAF40A6C9C5AA04AB0F562A8CB062CAAE8088626D26D0A2C8534E92DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397781Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:47.463{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53883-false10.0.1.12-8000- 23542300x8000000000000000397780Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:48.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D703B91CEA883EAD732758600F6136B,SHA256=9D4321611DEA8B664FD990858DC3606364AD29EB7B13209B5C2C2BF8F514A9A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452618Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.141{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-085C-60E3-010B-00000000D301}5556C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452617Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.141{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-085C-60E3-010B-00000000D301}5556C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452616Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.141{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-085C-60E3-010B-00000000D301}5556C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452615Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.141{D694AEB8-D133-60E2-1404-00000000D301}42124344C:\Windows\system32\taskhostw.exe{D694AEB8-085C-60E3-020B-00000000D301}5292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452614Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.141{D694AEB8-D133-60E2-1404-00000000D301}42124344C:\Windows\system32\taskhostw.exe{D694AEB8-085C-60E3-020B-00000000D301}5292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452613Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.125{D694AEB8-D134-60E2-1A04-00000000D301}46646712C:\Windows\Explorer.EXE{D694AEB8-085C-60E3-010B-00000000D301}5556C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452612Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.125{D694AEB8-D134-60E2-1A04-00000000D301}46646712C:\Windows\Explorer.EXE{D694AEB8-085C-60E3-010B-00000000D301}5556C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452611Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.125{D694AEB8-D134-60E2-1A04-00000000D301}46646712C:\Windows\Explorer.EXE{D694AEB8-085C-60E3-010B-00000000D301}5556C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452610Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.125{D694AEB8-D134-60E2-1A04-00000000D301}46646712C:\Windows\Explorer.EXE{D694AEB8-085C-60E3-010B-00000000D301}5556C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452609Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.125{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-085C-60E3-020B-00000000D301}5292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452608Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.125{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-085C-60E3-020B-00000000D301}5292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452607Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.125{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-085C-60E3-020B-00000000D301}5292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452606Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.125{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-085C-60E3-020B-00000000D301}5292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452605Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.109{D694AEB8-B3EA-60E2-1600-00000000D301}1296300C:\Windows\system32\svchost.exe{D694AEB8-085C-60E3-020B-00000000D301}5292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452604Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.109{D694AEB8-B3EA-60E2-1600-00000000D301}12961384C:\Windows\system32\svchost.exe{D694AEB8-085C-60E3-020B-00000000D301}5292C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452603Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.109{D694AEB8-085C-60E3-020B-00000000D301}52925776C:\Windows\system32\conhost.exe{D694AEB8-085C-60E3-010B-00000000D301}5556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452602Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.094{D694AEB8-D131-60E2-0904-00000000D301}1716440C:\Windows\system32\csrss.exe{D694AEB8-085C-60E3-020B-00000000D301}5292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452601Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.094{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452600Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.094{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452599Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.094{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452598Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.094{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452597Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.094{D694AEB8-D131-60E2-0904-00000000D301}17163592C:\Windows\system32\csrss.exe{D694AEB8-085C-60E3-010B-00000000D301}5556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452596Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.094{D694AEB8-D134-60E2-1A04-00000000D301}46644516C:\Windows\Explorer.EXE{D694AEB8-085C-60E3-010B-00000000D301}5556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+1f9aa4|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+175730|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+16d7a6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x80000000000000001452595Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:48.098{D694AEB8-085C-60E3-010B-00000000D301}5556C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp"C:\Windows\system32\ATTACKRANGE\Administrator{D694AEB8-D133-60E2-3BFB-250000000000}0x25fb3b2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001452622Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:49.677{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698B796159C960A51F6C3E6DA8C6B821,SHA256=33213E23F31E1198228F4313B35865795F3A4B919324D61AF0F604ABC631E858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397782Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:49.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5A52A386965F4EBF99316784F8C5DA,SHA256=BEAB7EA1BF13A5A2FE3397CEE07D949EC9F59CC727500C84D9665FFE8A48E413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452621Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:49.124{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEE64ADA8CAB00FE7FEDA929F05DB650,SHA256=AC3428CE9C16367EB76F5A8C2BB991ECDC867FA2304F412D76F8A6FD3E815A7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452620Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:49.124{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90F28959267F0B611A68F167567963A0,SHA256=A0391C45ED1B3E88F370D6F8B732D274C3B637C6F36B4A28569F9D539D2889C4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001452624Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:25:50.724{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d771a1-0x45e86406) 23542300x80000000000000001452623Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:50.693{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF6F787C7C821465461D57EA97A6B7B,SHA256=95D376AC658B53CD3787BC396250EDFFD7946936764376A413B698336D46B785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397783Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:50.076{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E5266790D5FD3427806EE5A06518B4,SHA256=4657B8F4D4E8A483D6984B69332CB4130BA0F7833A5E751FBB7B689EC2D9F011,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452628Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:50.160{D694AEB8-B3EA-60E2-1000-00000000D301}416C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-201.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x80000000000000001452627Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:51.810{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2E7568F4C8174FC9F3B2A80C1E2E3914,SHA256=9E95FC3FD2394477BD8B86F50D1D157D13144053952DC643743FC03CD7CDB13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452626Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:51.810{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EFBB65823A4AD1D7FBBEC081452C5E36,SHA256=6197AA80B1DFEFADA60BAD5BFC01D578876EF74B63225FB816047497D396E76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452625Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:51.710{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7534A51C5BDE51CE8D4031816879D3FB,SHA256=B790C7E51A9C736D5B4CFFAE427F8C6EBDB8B3A605F05A5AADA6C5A89A1A771E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397784Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:51.076{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611B11700BF3E565397443129F21A995,SHA256=B3259932DAB07F73CDAC4CC521085D8232E1A90CEBE39E34C58A2B9BDE63FD6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452630Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:50.707{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60839-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452629Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:52.724{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5326A3D62C12849D67BB222725702862,SHA256=5519B01203BEF781863C809E2625572A074EA2C7BD5CAD3757D59EE6C4D39D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397785Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:52.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE8FA55FF796F4C35EBA189B939D866,SHA256=82A5FE2234DA8BAC2E7C68E51F01021D8CB26E43D16089F234E56786AB40EAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452631Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:53.739{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9CB3575BA6496A631F4A111869420A,SHA256=821D261DCAA3E00446B6C35C7D854208A2014039EEC4FA82D3FF46859AE07649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397786Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:53.092{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00E9EC2AA4C8F52DC81E87C6C9D0C5E,SHA256=8927DBB2972C0C383D14CCEB3DB15871749AC9EE03A82737EC5B89F858236C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452640Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:54.757{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E4391197D1817BECFED2BC56AB4814,SHA256=DF5226C9EB234DF364D094847FC8BDD4034E7BB6930EAED8512C7686311E442D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397788Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:53.214{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53884-false10.0.1.12-8000- 23542300x8000000000000000397787Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:54.107{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4C683242DB4B69A0A282A07EDCB283,SHA256=F52A93E0AF1EF2BD7E8F86EFC9BCD3DF42A4667AC591BA29B26EA4ED615BB173,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452639Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:54.722{D694AEB8-085C-60E3-020B-00000000D301}52925776C:\Windows\system32\conhost.exe{D694AEB8-0862-60E3-030B-00000000D301}4204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452638Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:54.722{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452637Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:54.722{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452636Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:54.722{D694AEB8-D131-60E2-0904-00000000D301}17165668C:\Windows\system32\csrss.exe{D694AEB8-0862-60E3-030B-00000000D301}4204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452635Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:54.722{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452634Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:54.722{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452633Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:54.722{D694AEB8-085C-60E3-010B-00000000D301}55564252C:\Windows\system32\cmd.exe{D694AEB8-0862-60E3-030B-00000000D301}4204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452632Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:54.725{D694AEB8-0862-60E3-030B-00000000D301}4204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell wd.ps1C:\Temp\ATTACKRANGE\Administrator{D694AEB8-D133-60E2-3BFB-250000000000}0x25fb3b2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D694AEB8-085C-60E3-010B-00000000D301}5556C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x80000000000000001452650Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:55.955{D694AEB8-B3E8-60E2-0B00-00000000D301}6566076C:\Windows\system32\lsass.exe{D694AEB8-0862-60E3-030B-00000000D301}4204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452649Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:55.955{D694AEB8-B3E8-60E2-0B00-00000000D301}6566076C:\Windows\system32\lsass.exe{D694AEB8-0862-60E3-030B-00000000D301}4204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001452648Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:25:55.810{D694AEB8-0862-60E3-030B-00000000D301}4204\PSHost.132699651547258804.4204.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001452647Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:55.805{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B3239AE8FB8207B8C64CEDAF46C69F7,SHA256=537DC2300ECFF9E4EA404F1B929BFC0432C5516118F2BBD4EE7585997F45E572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397789Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:55.107{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C027617ECD268347B744A990302F34A,SHA256=E9C205C608273D139BA9B7831D07BBC9A88FBEB144C4CDF913913708941E89D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452646Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:55.800{D694AEB8-0862-60E3-030B-00000000D301}4204ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ztrgicmk.x5e.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452645Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:55.799{D694AEB8-0862-60E3-030B-00000000D301}4204ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ujdqlxm2.g55.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452644Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:55.795{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75119B871042C223EAB13C2A0EAA6E9C,SHA256=BD3D28484A3A6001092282DBA71B0DED9C5D7C362C177C4FEAED8995E90ED20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452643Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:55.793{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEE64ADA8CAB00FE7FEDA929F05DB650,SHA256=AC3428CE9C16367EB76F5A8C2BB991ECDC867FA2304F412D76F8A6FD3E815A7F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001452642Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:55.639{D694AEB8-0862-60E3-030B-00000000D301}4204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ujdqlxm2.g55.ps12021-07-05 13:25:55.639 10341000x80000000000000001452641Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:55.617{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-0862-60E3-030B-00000000D301}4204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001452655Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:56.827{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA4A83E397B1CE8C0492346ABDD5B82,SHA256=F584548AF7DDE46098EED9E4AF4356D2C6EAA9911C6B2D22CC944F584A296C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397790Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:56.326{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359B955DA6233DE534AB0BC82DDE39ED,SHA256=B6D15AF12C5B6DDD265EA20110E018433360C8934D1A2F21F4EA9466249F712D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452654Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:56.628{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C66A10865C58045147761683E6757DA9,SHA256=ECE7E590CFC60C4FE96B885683FF0D39A3610CBD799CB059E271DCE46F6C4429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452653Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:56.175{D694AEB8-0862-60E3-030B-00000000D301}4204ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452652Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:56.000{D694AEB8-B3EA-60E2-1600-00000000D301}1296300C:\Windows\system32\svchost.exe{D694AEB8-0862-60E3-030B-00000000D301}4204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452651Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:56.000{D694AEB8-B3EA-60E2-1600-00000000D301}12961384C:\Windows\system32\svchost.exe{D694AEB8-0862-60E3-030B-00000000D301}4204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001452656Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:57.842{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35153F1C0B726173AD8CD42C6B7F5CB0,SHA256=F91DDD16AF1D2341B407C6E73900437C5B04DCE62EEB88FD30F9E687072B959A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397793Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:57.404{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B0D1113DB67A5B9C2B79B41E4B94918,SHA256=2C5B4D1E969066CF27C1F49F4846EB5442131433455174515A550DF7C71D5698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397792Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:57.404{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F02E2B504C9FA8E41AB03B9E6D6770D,SHA256=C5EFA87B786F50BD929F6E1A11C0BB67E2FEDB359E8E16BE860AA85332C5EC84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397791Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:57.404{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92EC522BFE3F2D5A43941020055B1F1,SHA256=A7D2944B093F8D7658CF51E7527107E09BF461BEC21980C1D25BF470E9791F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452657Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:58.857{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384BD7DCDBD1825D78FAE0A2027D636D,SHA256=639A59D8CE688EA64E2A8292654EC057449DE5130C6D69B5BEF181713B9EBCAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397795Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:58.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCCFC343CB287042983602BBD65BABB,SHA256=67D7C01038ECCB425F4CBF5260E6FF539C873CF3B2AAB36F34D61FEBE6AE071D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397794Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:56.326{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-61283-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 10341000x80000000000000001452676Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.909{D694AEB8-0867-60E3-050B-00000000D301}54763564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001452675Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.871{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D80596A716B6408E52799BB82632CC,SHA256=1B2992FA198E12786059ABB701EEA49CA7C29E56BFCDB67D1007C6C3162DFC9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397796Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:59.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37E31AAF277C4110108659D833F1870,SHA256=33EB39651D96BBF9D90E50462C96C59769400E214CC65379AD0D6028B51A5A76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452674Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.756{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0867-60E3-050B-00000000D301}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452673Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.756{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452672Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.756{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452671Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.756{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452670Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.756{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452669Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.756{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-0867-60E3-050B-00000000D301}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452668Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.756{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0867-60E3-050B-00000000D301}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452667Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.757{D694AEB8-0867-60E3-050B-00000000D301}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001452666Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:56.456{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60840-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001452665Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.125{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0867-60E3-040B-00000000D301}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452664Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.088{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452663Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.088{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452662Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.088{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452661Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.088{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452660Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.088{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0867-60E3-040B-00000000D301}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452659Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.088{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0867-60E3-040B-00000000D301}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452658Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:25:59.089{D694AEB8-0867-60E3-040B-00000000D301}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001452703Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.939{D694AEB8-B3EA-60E2-1600-00000000D301}1296300C:\Windows\system32\svchost.exe{D694AEB8-0868-60E3-070B-00000000D301}5368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452702Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.939{D694AEB8-B3EA-60E2-1600-00000000D301}12961384C:\Windows\system32\svchost.exe{D694AEB8-0868-60E3-070B-00000000D301}5368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452701Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.923{D694AEB8-B3E8-60E2-0B00-00000000D301}6565876C:\Windows\system32\lsass.exe{D694AEB8-0868-60E3-070B-00000000D301}5368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452700Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.923{D694AEB8-B3E8-60E2-0B00-00000000D301}6565876C:\Windows\system32\lsass.exe{D694AEB8-0868-60E3-070B-00000000D301}5368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001452699Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:00.908{D694AEB8-0868-60E3-070B-00000000D301}5368\PSHost.132699651608287247.5368.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001452698Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.903{D694AEB8-0868-60E3-070B-00000000D301}5368ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_q5q21tho.eyy.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452697Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.902{D694AEB8-0868-60E3-070B-00000000D301}5368ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_njlwvfwt.g5h.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452696Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.886{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4DA4542383F4D049667150F27FA0813,SHA256=0CD5C74D6A141DD3F9D88C4C6C27B9E4F02E326E727470834B0BF5FE2DBA4397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397798Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:00.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C8B2E58D4A7253CA2CFF9CC29945AA,SHA256=C5BC9D256C0EFD87AB8AEFD134F489D790B63AE95CF8095C95962C80ABB0F4E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001452695Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.870{D694AEB8-0868-60E3-070B-00000000D301}5368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_njlwvfwt.g5h.ps12021-07-05 13:26:00.870 10341000x80000000000000001452694Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.855{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-0868-60E3-070B-00000000D301}5368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452693Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.823{D694AEB8-085C-60E3-020B-00000000D301}52925776C:\Windows\system32\conhost.exe{D694AEB8-0868-60E3-070B-00000000D301}5368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452692Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.823{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452691Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.823{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452690Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.823{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452689Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.823{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452688Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.823{D694AEB8-D131-60E2-0904-00000000D301}17164304C:\Windows\system32\csrss.exe{D694AEB8-0868-60E3-070B-00000000D301}5368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452687Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.823{D694AEB8-085C-60E3-010B-00000000D301}55564252C:\Windows\system32\cmd.exe{D694AEB8-0868-60E3-070B-00000000D301}5368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452686Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.828{D694AEB8-0868-60E3-070B-00000000D301}5368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershellC:\Temp\ATTACKRANGE\Administrator{D694AEB8-D133-60E2-3BFB-250000000000}0x25fb3b2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D694AEB8-085C-60E3-010B-00000000D301}5556C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x80000000000000001452685Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.324{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0868-60E3-060B-00000000D301}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452684Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.324{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452683Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.324{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452682Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.324{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452681Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.324{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452680Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.324{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0868-60E3-060B-00000000D301}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452679Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.324{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0868-60E3-060B-00000000D301}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452678Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.326{D694AEB8-0868-60E3-060B-00000000D301}5468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452677Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:00.106{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75119B871042C223EAB13C2A0EAA6E9C,SHA256=BD3D28484A3A6001092282DBA71B0DED9C5D7C362C177C4FEAED8995E90ED20F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397797Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:25:58.229{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53885-false10.0.1.12-8000- 10341000x80000000000000001452709Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:01.943{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001452708Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:01.943{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001452707Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:01.943{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF14a27f5.TMPMD5=7CC92A355EA66A219E3148903E63F654,SHA256=CDE288AC5D74287BFA2D9257B236405535586530C59E6CD093A4AD9FE7326A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452706Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:01.891{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9CF7FAB3CA3095AB65042DC869A60A,SHA256=099B87821D3C65681EC3EF3459ACDC191DA749EDD3A2E85F7FA119BFC6A152DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397799Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:01.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14AE7B43CD005E7F86235E0FCE825F75,SHA256=68E9FDC83920FF9EA357702F5AD94A6761A950B1EC700D5BE6641BD211DEC5FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452705Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:01.859{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7484F2220879E61BD5B272CF50AD53AA,SHA256=BFBD4BD97E76EE56F2E749F24B9150AD3DF7848C9F6CD8E4FF7C1DC9C4A7ED79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452704Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:01.355{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24D6C8415EA319297A248D5F1BFFAB14,SHA256=7AC088C037EA3AC8723DCBDE9F0CDB1BC3EE1136682FDCFE23DA27DA4D430751,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452720Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:02.941{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-086A-60E3-080B-00000000D301}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452719Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:02.939{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452718Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:02.939{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452717Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:02.939{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452716Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:02.939{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452715Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:02.938{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-086A-60E3-080B-00000000D301}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452714Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:02.938{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-086A-60E3-080B-00000000D301}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452713Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:02.937{D694AEB8-086A-60E3-080B-00000000D301}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452712Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:02.920{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5935D068F7562DC450966FEA5ED0025F,SHA256=03A324EDCEFEA2B916EC019E72952500150620E6E89148749CD05FA88BC643A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397800Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:02.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5E2D7B17D914BEC0D6BABF13DD761F,SHA256=D2574FA9698F85D79707A7357D2505206B5C8DB82970084E64723636A571ED58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452711Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:02.905{D694AEB8-B3EA-60E2-0D00-00000000D301}9166272C:\Windows\system32\svchost.exe{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452710Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:02.905{D694AEB8-B3EA-60E2-0D00-00000000D301}9166272C:\Windows\system32\svchost.exe{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001452733Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.972{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAACF05473ED7F06AB4A3534583F86C6,SHA256=63FACFDAE61F3B43FE861F48893D79D6092C0118AF675E159A4EF5D33B38DC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452732Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.941{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15717735349AFF211C0132878F16574D,SHA256=2FB9E4C86B2BA4DC259744847AC99102AEC3441609AA46EB6FC2F3DE52CCE966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397801Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:03.420{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BFD56BF71B952C6BAE33AA5246CB1C8,SHA256=AC69C6C96B601D2B9E14181979AD4EB0A95EC31A567C456F6474CEAE221A5141,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452731Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.788{D694AEB8-086B-60E3-090B-00000000D301}64965732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452730Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.620{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-086B-60E3-090B-00000000D301}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452729Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.620{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452728Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.620{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452727Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.620{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452726Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.620{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452725Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.620{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-086B-60E3-090B-00000000D301}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452724Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.620{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-086B-60E3-090B-00000000D301}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452723Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.620{D694AEB8-086B-60E3-090B-00000000D301}6496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001452722Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:01.472{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60841-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001452721Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.104{D694AEB8-086A-60E3-080B-00000000D301}62045908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001452770Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.986{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=19EAA67FF40D270ED4EAB5BB4326C833,SHA256=5813735A3DB4E55E4C5525B3CED5F43E729D1628E89F9F6BC2D5FCC946CA3F38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452769Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.970{D694AEB8-086C-60E3-0C0B-00000000D301}33281628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001452768Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.970{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB41C16B1F59C3F2EE56F1E7C14E2D2,SHA256=19AFAFB8B285D14E4E6CB9052FA15A292A79E4565933DAAD52BB0F33C633DA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452767Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.970{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8F63EB0577D93DDC33C59DEC90E491DD,SHA256=330D1F4D8C535E33657A78C8F694F07E5B7291F892F1F8822F0DDC3883472033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397802Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:04.436{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346DD996213848510CEA09AFB0879BA6,SHA256=FA6A59F951ABF32A96F92B298E07F13F3C013AF15857EFE4C2ABF73AD5C24C78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452766Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.786{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-086C-60E3-0C0B-00000000D301}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452765Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.786{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452764Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.786{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452763Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.786{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452762Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.786{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452761Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.786{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-086C-60E3-0C0B-00000000D301}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452760Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.786{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-086C-60E3-0C0B-00000000D301}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452759Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.787{D694AEB8-086C-60E3-0C0B-00000000D301}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001452758Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.555{D694AEB8-B3EA-60E2-1600-00000000D301}1296300C:\Windows\system32\svchost.exe{D694AEB8-086C-60E3-0B0B-00000000D301}2440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452757Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.555{D694AEB8-B3EA-60E2-1600-00000000D301}12961384C:\Windows\system32\svchost.exe{D694AEB8-086C-60E3-0B0B-00000000D301}2440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452756Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.535{D694AEB8-B3E8-60E2-0B00-00000000D301}6565876C:\Windows\system32\lsass.exe{D694AEB8-086C-60E3-0B0B-00000000D301}2440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452755Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.535{D694AEB8-B3E8-60E2-0B00-00000000D301}6565876C:\Windows\system32\lsass.exe{D694AEB8-086C-60E3-0B0B-00000000D301}2440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001452754Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:04.517{D694AEB8-086C-60E3-0B0B-00000000D301}2440\PSHost.132699651644449255.2440.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001452753Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.505{D694AEB8-086C-60E3-0B0B-00000000D301}2440ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zgd3ca4i.4so.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452752Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.505{D694AEB8-086C-60E3-0B0B-00000000D301}2440ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_q5nbfiuo.tyb.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001452751Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.492{D694AEB8-086C-60E3-0B0B-00000000D301}2440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_q5nbfiuo.tyb.ps12021-07-05 13:26:04.492 10341000x80000000000000001452750Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.478{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-086C-60E3-0B0B-00000000D301}2440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452749Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.448{D694AEB8-085C-60E3-020B-00000000D301}52925776C:\Windows\system32\conhost.exe{D694AEB8-086C-60E3-0B0B-00000000D301}2440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452748Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.446{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452747Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.446{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452746Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.445{D694AEB8-D131-60E2-0904-00000000D301}17165668C:\Windows\system32\csrss.exe{D694AEB8-086C-60E3-0B0B-00000000D301}2440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452745Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.446{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452744Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.446{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452743Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.445{D694AEB8-0868-60E3-070B-00000000D301}53686052C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D694AEB8-086C-60E3-0B0B-00000000D301}2440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+45666d57(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44adb480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44adb0bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+455b2119(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44a9802d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44afba9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44addaae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44addaae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44add93f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44ace65f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44adbba1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44adb713(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44adb480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44adb0bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+455b2119(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44a9802d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\590a3504a0ae95b919078deb11475889\System.Management.Automation.ni.dll+44afba9f(wow64) 154100x80000000000000001452742Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.444{D694AEB8-086C-60E3-0B0B-00000000D301}2440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring True -DisableIntrusionPreventionSystem True -DisableIOAVProtection True -DisableScriptScanning TrueC:\Temp\ATTACKRANGE\Administrator{D694AEB8-D133-60E2-3BFB-250000000000}0x25fb3b2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D694AEB8-0868-60E3-070B-00000000D301}5368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell 10341000x80000000000000001452741Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.288{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-086C-60E3-0A0B-00000000D301}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452740Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.288{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452739Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.288{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452738Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.288{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452737Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.288{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452736Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.288{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-086C-60E3-0A0B-00000000D301}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452735Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.288{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-086C-60E3-0A0B-00000000D301}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452734Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:04.289{D694AEB8-086C-60E3-0A0B-00000000D301}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001452775Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:05.832{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=060CFC1F73611545596EF03B3D94537E,SHA256=4043A65ABDCFE67E4BAE37E4D39D3D8DC519B4AD7B39201A81A56E0D22DCC493,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452774Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.307{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60842-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001452773Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:03.307{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60842-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 23542300x80000000000000001452772Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:05.317{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=663E1474F63FCDCABEA91C39A8863762,SHA256=E0E3AD7C567414A3688434220E886F31B89C90F432C8028B6C6825130863BA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452771Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:05.052{D694AEB8-086C-60E3-0B0B-00000000D301}2440ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397804Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:03.448{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53886-false10.0.1.12-8000- 23542300x8000000000000000397803Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:05.436{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B442F92D2BEDAD8CE1408592AB35AF3,SHA256=C01B1911ACC807BADFEC27721E79D5787CEBFD1C3457BB2C4510B502C1AA0FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397805Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:06.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17AA68C866CF88DCFC63A6E922478141,SHA256=5E8F6487BA5F1307C08E93BC7858F545A377E93E63DA6849BDA428CE48298BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452776Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:06.001{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B25B4D76682C84FA6093C1D9047A4B,SHA256=6CE703002055B9B7F203BA26954AA49A9446A0F67CB7E31435F6F63EFC7B7E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397806Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:07.436{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE3A97BDD1D9C02F54532D47D529CCC,SHA256=12FE6CE86D803B21F5C4CD0504F998B1A3D0CD289489D228868DAB83D98528D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452777Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:07.015{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3190430201AE2F772A5342A259558204,SHA256=3DFB404F3C7E3D52F72AD149C6CD2FD4DFC91EB4A07CE53B2A10D41EDE5B40DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397807Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:08.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C715FFE2E5B90B303F6E50F39E05073,SHA256=F635AF61EB4C1861F8441FD0F589554533816731D41A98F7C20343E1F7740B2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452779Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:06.481{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60843-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452778Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:08.048{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8C07E82222166217510BFC3F092166,SHA256=B0389B7DEC1D02426113370AFD40D1582A150AD2C277C3A31D52AF76FF8C9E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397808Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:09.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D48117EAFF3E6C4FDFC51311704515F,SHA256=C10A6F03914C48251AAFC643BBB2E96B2A1495B9957FA0CEA6AB0F4671B6A3E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452785Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:09.528{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=097AA1A380BFA0E0040588D7881A671F,SHA256=0D8CA9C0415109E39B2AE2A39084732945F7F0D5B916F14177329607C64B60D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452784Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:09.528{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=127E6120AC94118D832039610A2291AE,SHA256=9CD9DCBF2CC74ED55468CEC4E700960B646BD6AFA011437657A3FDA5E77D9EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452783Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:09.528{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=F65642800B2D28E8EA085C3FEDE019B7,SHA256=8378C2C997A57AECD773A6C22A2D7303D94CD400DC45F44B2ECB270BCE2D5485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452782Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:09.528{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=5E3011B4A19EC06F4EDD48B269FBE8DC,SHA256=243771A4057FD6EFC7180D872636E017E4135E94D3565F4F90AC0362BF87261A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452781Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:09.528{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=E26CF8F222BF690E39AFA814ABFE1ABE,SHA256=1857E3EF1ED21D93E620BCDE0B04A12B1D65FCA6747732FCC6BD92F0448E887A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452780Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:09.066{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60EB77E0850DBF96C3A86DB7AF071AC,SHA256=C17CFC7676FD672C5DD72B9C7EAA113315005263086927BAE26700D9EF85F0B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452786Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:10.081{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCCC7BBCB22E43405CD48DAB346DC8A,SHA256=280B03A5DE19260947B5AF0DB0537358DF22EE5CD85567376FB8E6F4080560ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397810Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:09.401{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53887-false10.0.1.12-8000- 23542300x8000000000000000397809Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:10.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08F43AC4A2E9D9BBF9349975E2756B3,SHA256=456D8516BC0C4F57157244631BE50CB62E34DDF68B7B1A0D11E38FCF7BF4D860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397811Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:11.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C575060D1B97B45BC3ECAE4D143A0319,SHA256=088FFC24C6C4197C41A2D2D3E516D2BA43D91CDD445D7464D7DBB09993281285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452787Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:11.111{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80DD03B94F204C80296A837354C4F88C,SHA256=B199800F69EA74AAA80D69AEC315CE182CDB6754FA48AE1B9C726AF3F09A87FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397812Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:12.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A98CB03CA5193A61FFAAB410EE4E395,SHA256=57B8E77B8CB58ACF7C44180DD3C8A5B2E6EBA07E975E19D5C731FD017F56B071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452788Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:12.145{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA952A1501B348419126D527174668E,SHA256=CFAA6955D97C870CA9D8DE11A1E732B597DAAEF765CBECBABE020592AC5C0C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397813Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:13.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C547362671C109F1C0E233B3EA03A96A,SHA256=C51BB28EF7162FF64F917220F735A0A8D0F14FF4F6D093BA6D0FBDB9231CE74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452800Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.762{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=B94DDB7185F10BE683307E1F8426EADC,SHA256=B836270376A7A77CB01DD756171D7A03AB0C8CCA4F86F066603B3BD2E4C01382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452799Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.746{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=96FF59DBB7C23F6DD5D985B18B603B0B,SHA256=EF5A02294A1FFFDC070DFD50211ABAEBEC3BB0178F47FB85FE4171A31BAAC9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452798Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.746{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=194C9EB64EE215D1A65B5B79C16924A0,SHA256=3F5F4A648313D7FDDAE6C3BC83A5FA318A1B2D5C0C5ED3D6FACE68DCC11EE87F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452797Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.746{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=0D1DF7311F2E5130FEAFE529678120A2,SHA256=02D2E6AEFA92C492F2E32396FC114F838771E9A2D7C232EDE3D59DC0F0F727E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452796Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.746{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=1D350070F780D1EE11FAD2F0978A682F,SHA256=AD968420F64C5C0708323426D79F9F33826C2573776097A4FA26E5F8BC50791D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452795Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.746{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=AF50ED090B698739415639070B66E7D1,SHA256=D7A02E40E16884F3724F7BD0E94C9B81A1DB5CE75D30BE22D2DAAD6AB434224D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452794Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.746{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=E60D3721FE300B2EF28510E159DFA238,SHA256=AFE967B9F105BBFE4A31C3F5B9662305D1B8A280988F4A1D41BCDAF3E7E62E7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452793Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.746{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83F-60E2-F508-00000000D301}4828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+521b0|C:\Program Files\Mozilla Firefox\xul.dll+29fa9ed|C:\Program Files\Mozilla Firefox\xul.dll+29fa6b9|C:\Program Files\Mozilla Firefox\xul.dll+29f58ff|C:\Program Files\Mozilla Firefox\xul.dll+29c1801|C:\Program Files\Mozilla Firefox\xul.dll+4e6ea12|C:\Program Files\Mozilla Firefox\xul.dll+14a9071|C:\Program Files\Mozilla Firefox\xul.dll+14ab9bc|C:\Program Files\Mozilla Firefox\xul.dll+101613|C:\Program Files\Mozilla Firefox\xul.dll+3c2fad7|C:\Program Files\Mozilla Firefox\xul.dll+faae2|C:\Program Files\Mozilla Firefox\xul.dll+3b1a911|C:\Program Files\Mozilla Firefox\xul.dll+101a8a|C:\Program Files\Mozilla Firefox\xul.dll+3c2fad7|C:\Program Files\Mozilla Firefox\xul.dll+faae2|C:\Program Files\Mozilla Firefox\xul.dll+3b1a911|C:\Program Files\Mozilla Firefox\xul.dll+101a8a|C:\Program Files\Mozilla Firefox\xul.dll+4fb7ea|C:\Program Files\Mozilla Firefox\xul.dll+23e75b6|C:\Program Files\Mozilla Firefox\xul.dll+23dfc59|C:\Program Files\Mozilla Firefox\xul.dll+244d41|C:\Program Files\Mozilla Firefox\xul.dll+243785 10341000x80000000000000001452792Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.746{D694AEB8-D134-60E2-1A04-00000000D301}46644852C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452791Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.746{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452790Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.746{D694AEB8-D134-60E2-1A04-00000000D301}46644812C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001452789Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.162{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD63942F4205918C6E7FD817D394FC7E,SHA256=D829DE9552C1514A60E2B13C9886A3E9350B82E88C0D003C1A3D86377E2F801D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452806Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:14.976{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a|C:\Program Files\Mozilla Firefox\xul.dll+2d8720f 10341000x80000000000000001452805Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:14.976{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 10341000x80000000000000001452804Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:14.960{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83F-60E2-F508-00000000D301}4828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+521b0|C:\Program Files\Mozilla Firefox\xul.dll+29fa9ed|C:\Program Files\Mozilla Firefox\xul.dll+29fa4f7|C:\Program Files\Mozilla Firefox\xul.dll+da83b9|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001452803Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:11.613{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60844-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001452802Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:14.346{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\pending_pings\be9b525e-efa1-4e40-b979-5c9ee2f659bdMD5=30A0BA321C11FE2DAC027355F14A7565,SHA256=BDD4B19DBD175E35746055C7345C456A97DF26A36CCF084C37A7D8928F326332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452801Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:14.192{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AEB2ABE93AFCF7616B91475A864413,SHA256=ED01F0B501FE30D09E6CF5AA75DE44F1600C8A9D04DCDE8B96FC31381CF0CC66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397814Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:14.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBEA0C2C946291BF638341931AB647E,SHA256=37AD090F9E84DED08C3AC67D1A4D6B8821AEA85DB49A611EC0DC2BADD5DE5497,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001452814Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.788{D694AEB8-F83C-60E2-EF08-00000000D301}6572pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com052.12.55.135;52.38.70.232;44.226.235.191;44.237.104.177;52.42.129.205;44.235.28.153;34.215.46.102;54.190.205.249;C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001452813Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.382{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60845-false54.190.205.249ec2-54-190-205-249.us-west-2.compute.amazonaws.com443https 354300x80000000000000001452812Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:13.244{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49791- 23542300x80000000000000001452811Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:15.207{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AC9F127CDCB000193BA60AC1C77CF8,SHA256=494F272FEF8753962117DF6869D1150230406C8DED1851C4663BC0939DFBDBC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397816Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:14.417{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53888-false10.0.1.12-8000- 23542300x8000000000000000397815Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:15.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25F93EA8FCF501F400F30BE84D259F6,SHA256=693967C116AE163128389161A52A2C172EC2033CED049D0D0D5E21CD5FAE2104,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452810Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:15.092{D694AEB8-F83C-60E2-EF08-00000000D301}65723244C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452809Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:15.092{D694AEB8-F83C-60E2-EF08-00000000D301}65723244C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452808Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:15.076{D694AEB8-F83C-60E2-EF08-00000000D301}65723244C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452807Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:15.060{D694AEB8-F83C-60E2-EF08-00000000D301}65723244C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397817Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:16.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198E7F7093070039145DCF9040E20168,SHA256=1EA21673C9C729FD0AC04495D26763F6074CB5E245CC94051B2781AE3E875F15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452822Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:14.424{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60846-false143.204.205.36server-143-204-205-36.fra53.r.cloudfront.net443https 354300x80000000000000001452821Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:14.423{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local50391- 354300x80000000000000001452820Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:14.421{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49244- 10341000x80000000000000001452819Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.343{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a|C:\Program Files\Mozilla Firefox\xul.dll+2d8720f 10341000x80000000000000001452818Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.343{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 10341000x80000000000000001452817Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.290{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d8d317|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f 10341000x80000000000000001452816Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.290{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 23542300x80000000000000001452815Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.222{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74055CAC7E9050EDD70B9FC3B61D37DB,SHA256=78C3E304C638BFA066460E4B99E932842F49436A70BBE3F55A72D1CB1ABFA698,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001452838Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:17.047{D694AEB8-F83C-60E2-EF08-00000000D301}6572youtube-ui.l.google.com0142.250.74.206;142.250.186.46;142.250.186.78;142.250.184.238;172.217.18.110;172.217.23.110;216.58.212.142;142.250.185.78;172.217.16.142;142.250.185.110;142.250.185.142;142.250.185.174;142.250.185.206;142.250.185.238;142.250.181.238;216.58.212.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001452837Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:17.047{D694AEB8-F83C-60E2-EF08-00000000D301}6572www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:216.58.212.174;::ffff:142.250.74.206;::ffff:142.250.186.46;::ffff:142.250.186.78;::ffff:142.250.184.238;::ffff:172.217.18.110;::ffff:172.217.23.110;::ffff:216.58.212.142;::ffff:142.250.185.78;::ffff:172.217.16.142;::ffff:142.250.185.110;::ffff:142.250.185.142;::ffff:142.250.185.174;::ffff:142.250.185.206;::ffff:142.250.185.238;::ffff:142.250.181.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001452836Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:17.046{D694AEB8-F83C-60E2-EF08-00000000D301}6572e15317.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001452835Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:17.045{D694AEB8-F83C-60E2-EF08-00000000D301}6572e15317.a.akamaiedge.net02.22.89.78;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001452834Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:17.042{D694AEB8-F83C-60E2-EF08-00000000D301}6572www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 www.amazon.de.edgekey.net;type: 5 e15317.a.akamaiedge.net;::ffff:2.22.89.78;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001452833Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.457{D694AEB8-F83C-60E2-EF08-00000000D301}6572www.google.com02a00:1450:4001:82b::2004;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001452832Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.456{D694AEB8-F83C-60E2-EF08-00000000D301}6572www.google.com0142.250.185.68;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001452831Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.455{D694AEB8-F83C-60E2-EF08-00000000D301}6572www.google.com0::ffff:142.250.185.68;C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001452830Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:15.913{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-201.attackrange.local60101-false142.250.185.68fra16s48-in-f4.1e100.net443https 354300x80000000000000001452829Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:15.913{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56185- 354300x80000000000000001452828Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:15.912{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64386- 354300x80000000000000001452827Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:15.911{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60100- 354300x80000000000000001452826Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:14.612{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60849-false54.190.205.249ec2-54-190-205-249.us-west-2.compute.amazonaws.com443https 354300x80000000000000001452825Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:14.607{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60848-false54.190.205.249ec2-54-190-205-249.us-west-2.compute.amazonaws.com443https 354300x80000000000000001452824Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:14.606{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60847-false54.190.205.249ec2-54-190-205-249.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001452823Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:17.235{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07882E006B83A2C12874173FBEB2DEC2,SHA256=A8E22278664092540AE67391F867A02C6E76CF363D546B4FB6090625A6928D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397818Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:17.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E370BCABFA24E518A5B9BD35E6C602A5,SHA256=1FEC6B9CEB0672493E847E1DBC6F94A8EE6754300D0A926E99455818C76AA15C,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001452861Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:17.051{D694AEB8-F83C-60E2-EF08-00000000D301}6572reddit.map.fastly.net0199.232.137.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001452860Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:17.050{D694AEB8-F83C-60E2-EF08-00000000D301}6572www.reddit.com0type: 5 reddit.map.fastly.net;::ffff:199.232.137.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001452859Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:17.049{D694AEB8-F83C-60E2-EF08-00000000D301}6572youtube-ui.l.google.com02a00:1450:4001:831::200e;2a00:1450:4001:809::200e;2a00:1450:4001:800::200e;2a00:1450:4001:801::200e;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001452858Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:18.774{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED8096FC3D74D56858B411D9AA1427C,SHA256=3B8246EBEF93F02B4F9424C53E693DBB8B04B07D9C87C2D565921654A514EEE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452857Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.507{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49703- 354300x80000000000000001452856Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.507{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local54047- 354300x80000000000000001452855Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.506{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56268- 354300x80000000000000001452854Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.506{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64314- 23542300x8000000000000000397819Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:18.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB752F123373F854D2EA03A9E4523A6,SHA256=52BDA61D78DB88AA46CBCBA1273C828A18577ACDE39C6BA25C94B76564CC6F86,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452853Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.506{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local59654- 354300x80000000000000001452852Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.504{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64652- 354300x80000000000000001452851Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.504{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63115- 354300x80000000000000001452850Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.504{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60326- 354300x80000000000000001452849Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.503{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60963- 354300x80000000000000001452848Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.502{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local59992- 354300x80000000000000001452847Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.502{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64234- 354300x80000000000000001452846Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.501{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58535- 354300x80000000000000001452845Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.501{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local59956- 354300x80000000000000001452844Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.500{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56187- 354300x80000000000000001452843Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.499{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local50429- 354300x80000000000000001452842Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.499{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58083- 354300x80000000000000001452841Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.498{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56338- 354300x80000000000000001452840Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.498{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49736- 354300x80000000000000001452839Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:16.497{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local65093- 23542300x80000000000000001452865Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:19.975{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\cache2\doomed\22459MD5=12C712057BA0BD41DF073E024ED5E939,SHA256=CE1F9AB4C2DCD4AA7AA00EAE11CD7ABE9FA879336053E30C1FB36A53862D54F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452864Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:17.589{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60850-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001452863Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:17.115{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local51131- 23542300x80000000000000001452862Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:19.767{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B283163A4FA71A2CA45A01C6BA55D43C,SHA256=5B44BA29922E12402BB5E8F51FC0F3930469DC879903DF448B993737FC6487AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397820Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:19.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE7ACAED1AD69B499C3A5842CC1CE9D,SHA256=21DC8109AFA23E9BCFCB11371FFC48BF87E4727610D185E5E7F99A21100F77F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452868Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:18.296{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60851-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 354300x80000000000000001452867Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:18.296{D694AEB8-B3E5-60E2-0100-00000000D301}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60851-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local445microsoft-ds 23542300x80000000000000001452866Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.776{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7111CB30CEA793C7931894463254A989,SHA256=39CC6764261F4C3C271C73E2BA0CBDF8E3C2F9DBB2A70151AC59D5881B87A404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397821Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:20.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A853BABF7CA68E40F23A301BB8C945,SHA256=2B4695C1B54212E3CB36D113A81A9752F1CDA1654CB780AAF8E68A7AE191F000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397822Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:21.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FA51BE7056F9605111763D25A8C662,SHA256=61D453255EC8395D148D716BFA2C3CB9930B9BF459E9FF5A689A9BB5BD7E5572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452900Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.903{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC340F6CD780022C71D0D3B2F711F9E,SHA256=0F7B086713FBF26CDC6ED772265547A0190F8FAE555498B88FACEA42F9E495E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452899Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.824{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452898Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.812{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452897Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.812{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452896Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.757{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452895Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.749{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452894Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.749{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452893Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.356{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452892Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.341{D694AEB8-B3E8-60E2-0B00-00000000D301}6565444C:\Windows\system32\lsass.exe{D694AEB8-B3E5-60E2-0100-00000000D301}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001452891Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.324{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452890Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.324{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001452889Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:26:21.316{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 10341000x80000000000000001452888Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.313{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001452887Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:26:21.313{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Config SourceDWORD (0x00000001) 13241300x80000000000000001452886Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:26:21.313{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\E4B998BB-7148-4125-92A5-5D16014446F6\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_E4B998BB-7148-4125-92A5-5D16014446F6.XML 10341000x80000000000000001452885Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.311{D694AEB8-B3EA-60E2-1000-00000000D301}4161756C:\Windows\system32\svchost.exe{D694AEB8-F844-60E2-FA08-00000000D301}4152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001452884Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:21.261{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.4152.4.34412430C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001452883Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:21.261{D694AEB8-F844-60E2-FA08-00000000D301}4152\chrome.4152.4.34412430C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001452882Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.237{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d8d317|C:\Program Files\Mozilla Firefox\xul.dll+da05d3 10341000x80000000000000001452881Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.237{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d 10341000x80000000000000001452880Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.236{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d8d317|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f 10341000x80000000000000001452879Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.236{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 10341000x80000000000000001452878Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.234{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d8d317|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f 10341000x80000000000000001452877Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.230{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 18141800x80000000000000001452876Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:21.226{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.4152.3.11878014C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001452875Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:21.226{D694AEB8-F844-60E2-FA08-00000000D301}4152\chrome.4152.3.11878014C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001452874Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.225{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F844-60E2-FA08-00000000D301}4152C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+521b0|C:\Program Files\Mozilla Firefox\xul.dll+29fa9ed|C:\Program Files\Mozilla Firefox\xul.dll+29f47e9|C:\Program Files\Mozilla Firefox\xul.dll+29f5251|C:\Program Files\Mozilla Firefox\xul.dll+29d22ea|C:\Program Files\Mozilla Firefox\xul.dll+3794eaf|C:\Program Files\Mozilla Firefox\xul.dll+117b9f1|C:\Program Files\Mozilla Firefox\xul.dll+117ec84|C:\Program Files\Mozilla Firefox\xul.dll+10ee581|C:\Program Files\Mozilla Firefox\xul.dll+3c47bd|C:\Program Files\Mozilla Firefox\xul.dll+11873b7|C:\Program Files\Mozilla Firefox\xul.dll+1112adc|C:\Program Files\Mozilla Firefox\xul.dll+1117990|C:\Program Files\Mozilla Firefox\xul.dll+1115dac|C:\Program Files\Mozilla Firefox\xul.dll+1115359|C:\Program Files\Mozilla Firefox\xul.dll+111454e|C:\Program Files\Mozilla Firefox\xul.dll+11242fe|C:\Program Files\Mozilla Firefox\xul.dll+e56542|C:\Program Files\Mozilla Firefox\xul.dll+d80a17|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede 10341000x80000000000000001452873Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.193{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a|C:\Program Files\Mozilla Firefox\xul.dll+2d8720f 10341000x80000000000000001452872Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.193{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 10341000x80000000000000001452871Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.163{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05 10341000x80000000000000001452870Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.163{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d 23542300x80000000000000001452869Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.161{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\formhistory.sqlite-journalMD5=62F0B2E962BA6A31AC91F4531F6D7787,SHA256=23A955299A115F79B7931D6A10A8E5D05C47986D60955F374FE9B633BAC8075F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452990Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.941{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967978D556BEC6C0E2E937A0725906C4,SHA256=3E4851EE5ABFE975D5F456D9D67C296DA342F9781B8D924F78D08737ADD60DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397824Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:22.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5A821DC3E538C34BF9B79F4E10146C,SHA256=4376F8E7CC15AE5F552A5EDF7880C8126E50684CAD71296852B5F146DFC32578,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001452989Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.205{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-201.attackrange.local59299-false142.250.185.227fra16s53-in-f3.1e100.net443https 354300x80000000000000001452988Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.778{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60859-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001452987Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.778{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60859-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001452986Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.768{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local59298- 354300x80000000000000001452985Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.767{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60858-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001452984Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.767{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60858-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001452983Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.767{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63642- 354300x80000000000000001452982Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.765{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60974- 354300x80000000000000001452981Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.748{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60856-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001452980Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.748{D694AEB8-B3FA-60E2-2800-00000000D301}2836C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60856-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 23542300x80000000000000001452979Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.425{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9F182E3AD335BA761FB332701977154,SHA256=6D8E6C0B98D099DC03B625C36FE55CC41F7357333A6ABD642493DE089BF06081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452978Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.424{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C4A62CE608F7787AB75838536D670FD,SHA256=681BF1096470BD370A9BCDFF464C057320CC4C9542AF9720B20D5AE58B3BB4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001452977Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.423{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0463A78A33FF11A653C58E681B2DD418,SHA256=03CB4420E7FAA2A7CB532E98504D26A9F13DCE2F2975E592B2DF011EEDB5E2FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001452976Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.358{D694AEB8-F83C-60E2-EF08-00000000D301}65725256C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+121a0bc|C:\Program Files\Mozilla Firefox\xul.dll+13233a1|C:\Program Files\Mozilla Firefox\xul.dll+1f4e71|C:\Program Files\Mozilla Firefox\xul.dll+1227e54|C:\Program Files\Mozilla Firefox\xul.dll+4127f|C:\Program Files\Mozilla Firefox\xul.dll+3f78f|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001452975Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:22.358{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.40.183621683C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001452974Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:22.358{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.39.29174792C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001452973Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:22.357{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.38.111297790C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001452972Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:22.357{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.36.108434036C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001452971Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:22.357{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.37.192747024C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001452970Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:22.357{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.35.199276206C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001452969Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.349{D694AEB8-B3EA-60E2-1000-00000000D301}4161756C:\Windows\system32\svchost.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452968Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.348{D694AEB8-B3EA-60E2-1000-00000000D301}4161756C:\Windows\system32\svchost.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001452967Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:22.337{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6472.2.212947463C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001452966Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:22.337{D694AEB8-087E-60E3-0D0B-00000000D301}6472\chrome.6472.2.212947463C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001452965Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:22.336{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6472.1.166205322C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001452964Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:22.336{D694AEB8-087E-60E3-0D0B-00000000D301}6472\chrome.6472.1.166205322C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001452963Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:22.336{D694AEB8-087E-60E3-0D0B-00000000D301}6472\chrome.6472.0.212413890C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001452962Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:22.336{D694AEB8-087E-60E3-0D0B-00000000D301}6472\chrome.6472.0.212413890C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001452961Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.334{D694AEB8-B3E8-60E2-0B00-00000000D301}6566904C:\Windows\system32\lsass.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452960Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.334{D694AEB8-B3E8-60E2-0B00-00000000D301}6566904C:\Windows\system32\lsass.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452959Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.307{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b3568|C:\Program Files\Mozilla Firefox\xul.dll+122d767|C:\Program Files\Mozilla Firefox\xul.dll+12e44e9|C:\Program Files\Mozilla Firefox\xul.dll+29dfd24|C:\Program Files\Mozilla Firefox\xul.dll+12bfb3c|C:\Program Files\Mozilla Firefox\xul.dll+1227e54|C:\Program Files\Mozilla Firefox\xul.dll+da0207|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001452958Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:22.307{D694AEB8-F83C-60E2-EF08-00000000D301}6572\cubeb-pipe-6572-4C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001452957Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:22.307{D694AEB8-F83C-60E2-EF08-00000000D301}6572\cubeb-pipe-6572-4C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001452956Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.297{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452955Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.296{D694AEB8-B3EA-60E2-1600-00000000D301}12961384C:\Windows\system32\svchost.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001452954Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:22.295{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.34.34691098C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001452953Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.699{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-201.attackrange.local60855-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001452952Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.699{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60855-false10.0.1.14win-dc-201.attackrange.local389ldap 354300x80000000000000001452951Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.691{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60854-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001452950Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.691{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60854-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local389ldap 354300x80000000000000001452949Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.691{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60853-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local49666- 354300x80000000000000001452948Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.691{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60853-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local49666- 354300x80000000000000001452947Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.690{D694AEB8-B3EA-60E2-0D00-00000000D301}916C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60852-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001452946Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.690{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local60852-truefe80:0:0:0:c9ea:5da:d368:da96win-dc-201.attackrange.local135epmap 354300x80000000000000001452945Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.598{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49994- 354300x80000000000000001452944Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.598{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64558- 354300x80000000000000001452943Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.598{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local59565- 354300x80000000000000001452942Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:20.598{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49220- 10341000x80000000000000001452941Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.293{D694AEB8-F83C-60E2-EF08-00000000D301}65726800C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+29ffab|C:\Program Files\Mozilla Firefox\xul.dll+3a5b85b|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001452940Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-ConnectPipe2021-07-05 13:26:22.293{D694AEB8-F83C-60E2-EF08-00000000D301}6572\gecko-crash-server-pipe.6572C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001452939Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:22.247{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.40.183621683C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001452938Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:22.246{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.39.29174792C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001452937Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.246{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+3e82ac|C:\Program Files\Mozilla Firefox\xul.dll+3e81fc|C:\Program Files\Mozilla Firefox\xul.dll+12b23b8|C:\Program Files\Mozilla Firefox\xul.dll+1307c21|C:\Program Files\Mozilla Firefox\xul.dll+1866ca1|C:\Program Files\Mozilla Firefox\xul.dll+29d482c|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 17141700x80000000000000001452936Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:22.246{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.38.111297790C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001452935Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.246{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+3e82ac|C:\Program Files\Mozilla Firefox\xul.dll+3e81fc|C:\Program Files\Mozilla Firefox\xul.dll+12b23b8|C:\Program Files\Mozilla Firefox\xul.dll+1307b21|C:\Program Files\Mozilla Firefox\xul.dll+1866abe|C:\Program Files\Mozilla Firefox\xul.dll+29d482c|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 17141700x80000000000000001452934Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:22.246{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.37.192747024C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001452933Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.246{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+3e82ac|C:\Program Files\Mozilla Firefox\xul.dll+3e81fc|C:\Program Files\Mozilla Firefox\xul.dll+12b23b8|C:\Program Files\Mozilla Firefox\xul.dll+1307a21|C:\Program Files\Mozilla Firefox\xul.dll+1866904|C:\Program Files\Mozilla Firefox\xul.dll+29d482c|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 17141700x80000000000000001452932Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:22.246{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.36.108434036C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001452931Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.246{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+3e82ac|C:\Program Files\Mozilla Firefox\xul.dll+3e81fc|C:\Program Files\Mozilla Firefox\xul.dll+12b23b8|C:\Program Files\Mozilla Firefox\xul.dll+1307921|C:\Program Files\Mozilla Firefox\xul.dll+1866745|C:\Program Files\Mozilla Firefox\xul.dll+29d482c|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 354300x8000000000000000397823Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:20.464{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53889-false10.0.1.12-8000- 17141700x80000000000000001452930Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:22.246{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.35.199276206C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001452929Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.245{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+521b0|C:\Program Files\Mozilla Firefox\xul.dll+29fa9ed|C:\Program Files\Mozilla Firefox\xul.dll+29f47e9|C:\Program Files\Mozilla Firefox\xul.dll+29d4700|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452928Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.245{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b3568|C:\Program Files\Mozilla Firefox\xul.dll+12b337f|C:\Program Files\Mozilla Firefox\xul.dll+1470ecd|C:\Program Files\Mozilla Firefox\xul.dll+29d46a5|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001452927Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.245{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x80000000000000001452926Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.245{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x80000000000000001452925Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.245{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x80000000000000001452924Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.245{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x80000000000000001452923Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.245{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x80000000000000001452922Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.245{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x80000000000000001452921Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.245{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x80000000000000001452920Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.245{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x80000000000000001452919Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.245{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x80000000000000001452918Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.245{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x80000000000000001452917Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.244{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x80000000000000001452916Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.244{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x80000000000000001452915Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.244{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x80000000000000001452914Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.244{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+29d439e|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452913Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.244{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+29d4315|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452912Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.244{D694AEB8-F83C-60E2-EF08-00000000D301}65726700C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+122110f|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+1fe73|C:\Program Files\Mozilla Firefox\xul.dll+11fc728|C:\Program Files\Mozilla Firefox\xul.dll+1f215|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+1e76f|C:\Program Files\Mozilla Firefox\xul.dll+11fd4a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452911Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.238{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452910Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.238{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452909Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.238{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452908Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.238{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452907Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.237{D694AEB8-D131-60E2-0904-00000000D301}17163592C:\Windows\system32\csrss.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001452906Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.237{D694AEB8-F83C-60E2-EF08-00000000D301}65726832C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+4330b|C:\Program Files\Mozilla Firefox\firefox.exe+24848|C:\Program Files\Mozilla Firefox\xul.dll+cfe4da|C:\Program Files\Mozilla Firefox\xul.dll+1217834|C:\Program Files\Mozilla Firefox\xul.dll+1215b02|C:\Program Files\Mozilla Firefox\xul.dll+122249e|C:\Program Files\Mozilla Firefox\xul.dll+da6214|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001452905Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.237{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe89.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6572.34.346910987\662555309" -childID 5 -isForBrowser -prefsHandle 8720 -prefMapHandle 8260 -prefsLen 6591 -prefMapSize 242486 -parentBuildID 20210622155641 -appdir "C:\Program Files\Mozilla Firefox\browser" - 6572 "\\.\pipe\gecko-crash-server-pipe.6572" 8428 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{D694AEB8-D133-60E2-3BFB-250000000000}0x25fb3b2LowMD5=EB061721B388D0AB67504EA4E0B9CB90,SHA256=F01545312FED4B611BC377F700B6B3AD16C5792D1D6AA5F695D61D8A7B0F23E3,IMPHASH=C483AB042998E5D3F9AC1D5A7C7ABDB2{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x80000000000000001452904Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-CreatePipe2021-07-05 13:26:22.227{D694AEB8-F83C-60E2-EF08-00000000D301}6572\chrome.6572.34.34691098C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001452903Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.021{D694AEB8-F83C-60E2-EF08-00000000D301}6572plus.l.google.com02a00:1450:4001:812::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001452902Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.313{D694AEB8-F83C-60E2-EF08-00000000D301}6572gstaticadssl.l.google.com02a00:1450:4001:808::2003;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001452901Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.311{D694AEB8-F83C-60E2-EF08-00000000D301}6572gstaticadssl.l.google.com0142.250.181.227;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000397825Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:23.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A2EA2341375A27D4608B33D1F3290FF,SHA256=3DAFCAD2525F5EB7E5F3ABAA9EE5AA909578A67FA74FB06509B8A30956A8A262,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453007Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:23.982{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a|C:\Program Files\Mozilla Firefox\xul.dll+2d8720f 10341000x80000000000000001453006Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:23.982{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 10341000x80000000000000001453005Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:23.887{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a 10341000x80000000000000001453004Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:23.887{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 354300x80000000000000001453003Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.584{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-201.attackrange.local57087-false142.250.184.194fra24s11-in-f2.1e100.net443https 354300x80000000000000001453002Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.584{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local65221- 354300x80000000000000001453001Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.583{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56840- 354300x80000000000000001453000Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.583{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49477- 354300x80000000000000001452999Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.583{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58258- 354300x80000000000000001452998Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.581{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local57086- 354300x80000000000000001452997Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.581{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49217- 354300x80000000000000001452996Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.506{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49966- 354300x80000000000000001452995Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.505{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-201.attackrange.local56187-false142.250.184.226fra24s12-in-f2.1e100.net443https 354300x80000000000000001452994Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.505{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61803- 22542200x80000000000000001452993Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:22.126{D694AEB8-F83C-60E2-EF08-00000000D301}6572adservice.google.de0type: 5 pagead46.l.doubleclick.net;::ffff:142.250.185.98;C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001452992Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.477{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56358- 354300x80000000000000001452991Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:21.477{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-201.attackrange.local56185-false142.250.186.78fra24s05-in-f14.1e100.net443https 23542300x8000000000000000397826Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:24.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60242C88260188900C207481390939F7,SHA256=ABB9748E8AE2666F7D907D19CBDD5727B4C3ED0AA14CD0BE0D6C3E5E9D56E6C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453015Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.908{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a|C:\Program Files\Mozilla Firefox\xul.dll+2d8720f 10341000x80000000000000001453014Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.908{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 10341000x80000000000000001453013Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.813{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a 10341000x80000000000000001453012Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.813{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 10341000x80000000000000001453011Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.527{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d8d317|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede 10341000x80000000000000001453010Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.527{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 23542300x80000000000000001453009Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.025{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C64BF66ED0BD3CED638F2C5E62002F,SHA256=A10604F454B47C2F53297BF654116E97CEC56FDC054B96D5E121875AAB15819C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453008Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.019{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\permissions.sqlite-journalMD5=25CA2549F5FBBD2C2CECF4C80E2E2F3A,SHA256=996CCEA9CE16AA2B12175C630B3D4A8A3DDB428AE53645764055410522BEE92C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397827Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:25.435{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1933A0631AE6599C5DC9A8553B655290,SHA256=AC6566E553F96B0C5EC9E50364DE86B8F4480F99002E2E73B9E45899CDD6942E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453033Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:23.454{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60860-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001453032Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.643{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453031Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.642{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453030Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.641{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453029Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.625{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453028Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.612{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453027Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.611{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453026Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.605{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453025Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.601{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453024Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.596{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453023Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.555{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453022Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.544{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453021Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.543{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453020Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.228{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05 10341000x80000000000000001453019Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.228{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d 23542300x80000000000000001453018Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.025{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E641F57A11D2A8B91CC7138BF0385AE4,SHA256=B65C4DA8BBAAF053E5721103E0C22BE301194CDF6447C03B94572D691FCB06AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453017Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.004{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d8d317|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f 10341000x80000000000000001453016Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.004{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 23542300x8000000000000000397829Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:26.449{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C836BFC03DE33FC4FB709493512666,SHA256=D4FBA6F1ED5C7514F24B6895D1681985EB4BF8CCCAEBE9EAA3B7891D56536E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453117Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.976{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9F182E3AD335BA761FB332701977154,SHA256=6D8E6C0B98D099DC03B625C36FE55CC41F7357333A6ABD642493DE089BF06081,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453116Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.176{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61331- 354300x80000000000000001453115Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.176{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local51074- 354300x80000000000000001453114Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.176{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61381- 354300x80000000000000001453113Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.175{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61245- 354300x80000000000000001453112Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.175{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60455- 354300x80000000000000001453111Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.175{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local50977- 354300x80000000000000001453110Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.175{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local50008- 354300x80000000000000001453109Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.160{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-201.attackrange.local56191-false157.240.20.15edge-star-shv-02-frt3.facebook.com443https 354300x80000000000000001453108Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.140{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-201.attackrange.local56190-false172.217.23.98mil04s23-in-f2.1e100.net443https 354300x80000000000000001453107Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.136{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-201.attackrange.local56189-false142.250.185.174fra16s51-in-f14.1e100.net443https 354300x80000000000000001453106Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.105{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60872-false142.250.185.174fra16s51-in-f14.1e100.net443https 354300x80000000000000001453105Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.105{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60871-false172.217.23.98mil04s23-in-f2.1e100.net443https 354300x80000000000000001453104Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.105{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60870-false157.240.20.15edge-star-shv-02-frt3.facebook.com443https 10341000x80000000000000001453103Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.634{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453102Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.607{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001453101Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.991{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56507- 354300x80000000000000001453100Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.971{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-201.attackrange.local63100-false142.250.185.65fra16s48-in-f1.1e100.net443https 354300x80000000000000001453099Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.933{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60869-false142.250.185.65fra16s48-in-f1.1e100.net443https 354300x80000000000000001453098Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.932{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60868-false192.0.73.2-443https 354300x80000000000000001453097Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.922{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63099- 354300x80000000000000001453096Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.921{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62709- 354300x80000000000000001453095Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.921{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56189- 354300x80000000000000001453094Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.920{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56825- 354300x80000000000000001453093Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.920{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56188- 354300x80000000000000001453092Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.919{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56592- 354300x80000000000000001453091Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.919{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60867-false192.0.73.2-443https 354300x80000000000000001453090Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.918{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60445- 354300x80000000000000001453089Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.918{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60866-false192.0.73.2-443https 354300x80000000000000001453088Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.918{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56596- 354300x80000000000000001453087Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.917{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60865-false192.0.73.2-443https 354300x80000000000000001453086Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.917{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60864-false151.101.12.193-443https 354300x80000000000000001453085Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.917{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64738- 354300x80000000000000001453084Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.916{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62782- 354300x80000000000000001453083Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.916{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56203- 354300x80000000000000001453082Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.916{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62955- 354300x80000000000000001453081Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.914{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64282- 354300x80000000000000001453080Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.858{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-201.attackrange.local58774-false142.250.186.74fra24s05-in-f10.1e100.net443https 354300x80000000000000001453079Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.840{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60863-false151.101.129.69-443https 354300x80000000000000001453078Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.840{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60862-false142.250.186.74fra24s05-in-f10.1e100.net443https 354300x80000000000000001453077Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.840{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58773- 354300x80000000000000001453076Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.839{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local57456- 354300x80000000000000001453075Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.839{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56650- 354300x80000000000000001453074Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.838{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58304- 354300x80000000000000001453073Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.836{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56551- 10341000x80000000000000001453072Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.506{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001453071Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.392{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\permissions.sqlite-journalMD5=54BD67F03AB56FD2C004C163FB452C97,SHA256=00A8816F4FD0FC66BB4B2ADFD2700F774EC05EA45C33FECF5581272678EA9332,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453070Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.376{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-087E-60E3-0D0B-00000000D301}6472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+3c09f0|C:\Program Files\Mozilla Firefox\xul.dll+e16225|C:\Program Files\Mozilla Firefox\xul.dll+e164b6|C:\Program Files\Mozilla Firefox\xul.dll+e13e2e|C:\Program Files\Mozilla Firefox\xul.dll+e14060|C:\Program Files\Mozilla Firefox\xul.dll+28811fa|C:\Program Files\Mozilla Firefox\xul.dll+2880fb8|C:\Program Files\Mozilla Firefox\xul.dll+288463e|C:\Program Files\Mozilla Firefox\xul.dll+287e5a3|C:\Program Files\Mozilla Firefox\xul.dll+23116d|C:\Program Files\Mozilla Firefox\xul.dll+3e4c31|C:\Program Files\Mozilla Firefox\xul.dll+117d0d1|C:\Program Files\Mozilla Firefox\xul.dll+10ee581|C:\Program Files\Mozilla Firefox\xul.dll+3c47bd|C:\Program Files\Mozilla Firefox\xul.dll+11873b7|C:\Program Files\Mozilla Firefox\xul.dll+1112adc|C:\Program Files\Mozilla Firefox\xul.dll+1117990 10341000x80000000000000001453069Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.375{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F844-60E2-FA08-00000000D301}4152C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+3c09f0|C:\Program Files\Mozilla Firefox\xul.dll+e16225|C:\Program Files\Mozilla Firefox\xul.dll+e164b6|C:\Program Files\Mozilla Firefox\xul.dll+e13e2e|C:\Program Files\Mozilla Firefox\xul.dll+e14060|C:\Program Files\Mozilla Firefox\xul.dll+28811fa|C:\Program Files\Mozilla Firefox\xul.dll+2880fb8|C:\Program Files\Mozilla Firefox\xul.dll+288463e|C:\Program Files\Mozilla Firefox\xul.dll+287e5a3|C:\Program Files\Mozilla Firefox\xul.dll+23116d|C:\Program Files\Mozilla Firefox\xul.dll+3e4c31|C:\Program Files\Mozilla Firefox\xul.dll+117d0d1|C:\Program Files\Mozilla Firefox\xul.dll+10ee581|C:\Program Files\Mozilla Firefox\xul.dll+3c47bd|C:\Program Files\Mozilla Firefox\xul.dll+11873b7|C:\Program Files\Mozilla Firefox\xul.dll+1112adc|C:\Program Files\Mozilla Firefox\xul.dll+1117990 10341000x80000000000000001453068Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.375{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83F-60E2-F508-00000000D301}4828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+3c09f0|C:\Program Files\Mozilla Firefox\xul.dll+e16225|C:\Program Files\Mozilla Firefox\xul.dll+e164b6|C:\Program Files\Mozilla Firefox\xul.dll+e13e2e|C:\Program Files\Mozilla Firefox\xul.dll+e14060|C:\Program Files\Mozilla Firefox\xul.dll+28811fa|C:\Program Files\Mozilla Firefox\xul.dll+2880fb8|C:\Program Files\Mozilla Firefox\xul.dll+288463e|C:\Program Files\Mozilla Firefox\xul.dll+287e5a3|C:\Program Files\Mozilla Firefox\xul.dll+23116d|C:\Program Files\Mozilla Firefox\xul.dll+3e4c31|C:\Program Files\Mozilla Firefox\xul.dll+117d0d1|C:\Program Files\Mozilla Firefox\xul.dll+10ee581|C:\Program Files\Mozilla Firefox\xul.dll+3c47bd|C:\Program Files\Mozilla Firefox\xul.dll+11873b7|C:\Program Files\Mozilla Firefox\xul.dll+1112adc|C:\Program Files\Mozilla Firefox\xul.dll+1117990 10341000x80000000000000001453067Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.375{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83E-60E2-F408-00000000D301}7128C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+3c09f0|C:\Program Files\Mozilla Firefox\xul.dll+e16225|C:\Program Files\Mozilla Firefox\xul.dll+e164b6|C:\Program Files\Mozilla Firefox\xul.dll+e13e2e|C:\Program Files\Mozilla Firefox\xul.dll+e14060|C:\Program Files\Mozilla Firefox\xul.dll+28811fa|C:\Program Files\Mozilla Firefox\xul.dll+2880fb8|C:\Program Files\Mozilla Firefox\xul.dll+288463e|C:\Program Files\Mozilla Firefox\xul.dll+287e5a3|C:\Program Files\Mozilla Firefox\xul.dll+23116d|C:\Program Files\Mozilla Firefox\xul.dll+3e4c31|C:\Program Files\Mozilla Firefox\xul.dll+117d0d1|C:\Program Files\Mozilla Firefox\xul.dll+10ee581|C:\Program Files\Mozilla Firefox\xul.dll+3c47bd|C:\Program Files\Mozilla Firefox\xul.dll+11873b7|C:\Program Files\Mozilla Firefox\xul.dll+1112adc|C:\Program Files\Mozilla Firefox\xul.dll+1117990 10341000x80000000000000001453066Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.375{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83E-60E2-F308-00000000D301}7032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+3c09f0|C:\Program Files\Mozilla Firefox\xul.dll+e16225|C:\Program Files\Mozilla Firefox\xul.dll+e164b6|C:\Program Files\Mozilla Firefox\xul.dll+e13e2e|C:\Program Files\Mozilla Firefox\xul.dll+e14060|C:\Program Files\Mozilla Firefox\xul.dll+28811fa|C:\Program Files\Mozilla Firefox\xul.dll+2880fb8|C:\Program Files\Mozilla Firefox\xul.dll+288463e|C:\Program Files\Mozilla Firefox\xul.dll+287e5a3|C:\Program Files\Mozilla Firefox\xul.dll+23116d|C:\Program Files\Mozilla Firefox\xul.dll+3e4c31|C:\Program Files\Mozilla Firefox\xul.dll+117d0d1|C:\Program Files\Mozilla Firefox\xul.dll+10ee581|C:\Program Files\Mozilla Firefox\xul.dll+3c47bd|C:\Program Files\Mozilla Firefox\xul.dll+11873b7|C:\Program Files\Mozilla Firefox\xul.dll+1112adc|C:\Program Files\Mozilla Firefox\xul.dll+1117990 354300x80000000000000001453065Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.661{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60861-false151.101.65.69-443https 354300x80000000000000001453064Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.661{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local61957- 354300x80000000000000001453063Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.661{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local64713- 354300x80000000000000001453062Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:24.631{D694AEB8-B3EA-60E2-0F00-00000000D301}376C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-38448-false10.0.1.14win-dc-201.attackrange.local3389ms-wbt-server 22542200x80000000000000001453061Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.063{D694AEB8-F83C-60E2-EF08-00000000D301}6572pagead-googlehosted.l.google.com02a00:1450:4001:829::2001;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453060Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.061{D694AEB8-F83C-60E2-EF08-00000000D301}6572pagead-googlehosted.l.google.com0142.250.185.161;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453059Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.892{D694AEB8-F83C-60E2-EF08-00000000D301}6572scontent.xx.fbcdn.net02a03:2880:f01c:8012:face:b00c:0:3;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453058Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.891{D694AEB8-F83C-60E2-EF08-00000000D301}6572scontent.xx.fbcdn.net0157.240.20.19;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453057Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.890{D694AEB8-F83C-60E2-EF08-00000000D301}6572platform-lookaside.fbsbx.com0type: 5 scontent.xx.fbcdn.net;::ffff:157.240.20.19;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453056Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.806{D694AEB8-F83C-60E2-EF08-00000000D301}6572qa.sockets.stackexchange.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453055Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.785{D694AEB8-F83C-60E2-EF08-00000000D301}6572qa.sockets.stackexchange.com0198.252.206.25;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453054Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.784{D694AEB8-F83C-60E2-EF08-00000000D301}6572qa.sockets.stackexchange.com0::ffff:198.252.206.25;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453053Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.537{D694AEB8-F83C-60E2-EF08-00000000D301}6572www-google-analytics.l.google.com02a00:1450:4001:810::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453052Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.536{D694AEB8-F83C-60E2-EF08-00000000D301}6572www-google-analytics.l.google.com0142.250.185.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453051Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.466{D694AEB8-F83C-60E2-EF08-00000000D301}6572googlehosted.l.googleusercontent.com02a00:1450:4001:829::2001;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453050Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.464{D694AEB8-F83C-60E2-EF08-00000000D301}6572googlehosted.l.googleusercontent.com0142.250.185.65;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453049Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.463{D694AEB8-F83C-60E2-EF08-00000000D301}6572lh5.googleusercontent.com0type: 5 googlehosted.l.googleusercontent.com;::ffff:142.250.185.65;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453048Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.462{D694AEB8-F83C-60E2-EF08-00000000D301}6572ipv4.imgur.map.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453047Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.461{D694AEB8-F83C-60E2-EF08-00000000D301}6572www.gravatar.com02a04:fa87:fffe::c000:4902;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453046Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.460{D694AEB8-F83C-60E2-EF08-00000000D301}6572www.gravatar.com0192.0.73.2;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453045Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.460{D694AEB8-F83C-60E2-EF08-00000000D301}6572ipv4.imgur.map.fastly.net0151.101.12.193;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453044Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.459{D694AEB8-F83C-60E2-EF08-00000000D301}6572www.gravatar.com0::ffff:192.0.73.2;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453043Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.459{D694AEB8-F83C-60E2-EF08-00000000D301}6572i.stack.imgur.com0type: 5 ipv4.imgur.map.fastly.net;::ffff:151.101.12.193;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453042Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.385{D694AEB8-F83C-60E2-EF08-00000000D301}6572cdn.sstatic.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453041Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.383{D694AEB8-F83C-60E2-EF08-00000000D301}6572cdn.sstatic.net0151.101.193.69;151.101.65.69;151.101.1.69;151.101.129.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453040Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.382{D694AEB8-F83C-60E2-EF08-00000000D301}6572cdn.sstatic.net0::ffff:151.101.129.69;::ffff:151.101.193.69;::ffff:151.101.65.69;::ffff:151.101.1.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453039Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.215{D694AEB8-F83C-60E2-EF08-00000000D301}6572serverfault.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453038Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.204{D694AEB8-F83C-60E2-EF08-00000000D301}6572serverfault.com0151.101.193.69;151.101.1.69;151.101.129.69;151.101.65.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453037Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.204{D694AEB8-F83C-60E2-EF08-00000000D301}6572serverfault.com0::ffff:151.101.65.69;::ffff:151.101.193.69;::ffff:151.101.1.69;::ffff:151.101.129.69;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001453036Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.149{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\cache2\doomed\8215MD5=BB01F8135A81B60EDD644D87509DA24F,SHA256=559C1C3B4D3A8AF74338F5232A0D543CD9CC3E0806872EB0976BBBDF2642EA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453035Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.148{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\yzehmadb.default-release\cache2\doomed\27584MD5=24A9ACE73BB93874C35763550FFA08D8,SHA256=6F0E52E0D0E29D5C334037AD264A652A8FC2CC81554A38EA844ACB820AC97BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453034Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.032{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44CAD4F1C5DEC27B019AB6A94A2D9D62,SHA256=7DF8792859660C50D51687CCD8657BBC9785D12C0CCF9B34C74483BF9E73CEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397828Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:26.339{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9053904D4B6F9EE581CCFACE4C1C26B6,SHA256=F662C2961574D3B8D243DD59C14F75C7FBF2E120B0C49C1B7DA09A6C53379166,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397831Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:26.214{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53890-false10.0.1.12-8000- 23542300x8000000000000000397830Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:27.544{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0940ACFA281B0FFEF053EC309FAAA9FC,SHA256=8F144E4BA4E0AA10B17DC684ADA21CC2B4A8782E8206FDD0C0EA2AF87BB4ADE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453145Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.787{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60880-false142.250.185.68fra16s48-in-f4.1e100.net443https 354300x80000000000000001453144Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.758{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-201.attackrange.local57279-false142.250.186.129fra24s07-in-f1.1e100.net443https 354300x80000000000000001453143Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.722{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60879-false142.250.186.129fra24s07-in-f1.1e100.net443https 354300x80000000000000001453142Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.648{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local57278- 354300x80000000000000001453141Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.648{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49933- 354300x80000000000000001453140Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.622{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60878-false151.101.65.69-443https 354300x80000000000000001453139Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.622{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local57225- 354300x80000000000000001453138Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.601{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-201.attackrange.local62369-false74.125.133.157wo-in-f157.1e100.net443https 354300x80000000000000001453137Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.577{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60877-false142.250.184.227fra24s12-in-f3.1e100.net80http 354300x80000000000000001453136Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.577{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62368- 354300x80000000000000001453135Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.576{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62331- 354300x80000000000000001453134Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.574{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local58418- 354300x80000000000000001453133Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.558{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60876-false74.125.133.157wo-in-f157.1e100.net443https 354300x80000000000000001453132Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.548{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local65262- 354300x80000000000000001453131Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.547{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49252- 354300x80000000000000001453130Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.546{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-201.attackrange.local50313-false142.250.185.161fra16s51-in-f1.1e100.net443https 354300x80000000000000001453129Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.542{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local50312- 10341000x80000000000000001453128Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:27.339{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d8d317|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede 10341000x80000000000000001453127Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:27.339{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 354300x80000000000000001453126Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.518{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60875-false142.250.185.161fra16s51-in-f1.1e100.net443https 354300x80000000000000001453125Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.517{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local63575- 22542200x80000000000000001453124Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.164{D694AEB8-F83C-60E2-EF08-00000000D301}6572clc.stackoverflow.com0::ffff:151.101.65.69;::ffff:151.101.193.69;::ffff:151.101.129.69;::ffff:151.101.1.69;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001453123Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:27.088{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B10ECDBF5DD0805A9089332B9BCFBF,SHA256=359711690DF049A6C51B236352F61305AF1E6262BB415A4157BF7FE114C1CCB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453122Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.349{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60874-false157.240.20.19xx-fbcdn-shv-02-frt3.fbcdn.net443https 354300x80000000000000001453121Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.348{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local49827- 354300x80000000000000001453120Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.346{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local65109- 354300x80000000000000001453119Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:25.327{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-201.attackrange.local60873-false198.252.206.25stackoverflow.com443https 23542300x80000000000000001453118Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:27.022{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397832Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:28.559{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D9FAAAEB5A00499A81E0145F4D26C8,SHA256=04A43F88AF32A009AAF8EBB4C1399E830B9478B7E666F23CE2E0F9E3A4DFD9A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453154Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.185{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local62111- 354300x80000000000000001453153Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.185{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local56586- 10341000x80000000000000001453152Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:28.546{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a|C:\Program Files\Mozilla Firefox\xul.dll+2d8720f 10341000x80000000000000001453151Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:28.546{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 10341000x80000000000000001453150Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:28.418{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a 10341000x80000000000000001453149Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:28.418{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 23542300x80000000000000001453148Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:28.244{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FAFAE83F9ECD01660386C52CE47640,SHA256=ED6C4EC0B32D13E1C72CEFB306B74339B265A616FF62723935366C9F0F28CA36,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001453147Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.178{D694AEB8-F83C-60E2-EF08-00000000D301}6572clc.stackoverflow.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001453146Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:26.165{D694AEB8-F83C-60E2-EF08-00000000D301}6572clc.stackoverflow.com0151.101.193.69;151.101.129.69;151.101.1.69;151.101.65.69;C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001453156Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:27.184{D694AEB8-B3FA-60E2-2600-00000000D301}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local50056- 23542300x80000000000000001453155Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:29.245{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3593FBF38524C35A503AA794883AE2CD,SHA256=A859B45548DB26911C1751F1FCBD4DC2216A3AEAD1ED2854B1EAC24FF844D01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397833Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:29.575{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976E5AD82F588CD3C3C2F4A5A3299862,SHA256=5E38BA291EBB8A8F2F78153E606919DF2B1BA11B35499A25BDAABDD7DEE1AC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397834Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:30.575{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD11B960790112E6F843B1EFB47D9A7,SHA256=BCEEA6E737D61D9874810A32316F208BFF187C482F782F5F52511E2CCBD0EADB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453164Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:28.587{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60881-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453163Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:30.795{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=8D9F71641750927C697C993E0AA0543B,SHA256=40C9FB994A08DE6B5DC1B495BB352480CA793DF90C972409FBDACF18F738C287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453162Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:30.794{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=A951F43104238CCE77B5C7E5598F088B,SHA256=884E950FDD6912F9E3C95FF8D0729ED221487CB914F5A07BBF665D59CC81F5F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453161Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:30.793{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=2CAAF850BDCD3151ECF1F5706EF5672F,SHA256=694B1980EB5CD7F5C607AF580AAF95A0FBF5C61A66A83ACF83CC4689E57E5704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453160Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:30.445{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453159Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:30.250{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DF41B1B1D24FCFA58E8F83EE67F1DF,SHA256=B90C603825934375E24DE11C09449702262A70D811B449EC41035B8829239914,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453158Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:30.201{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d8d317|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede 10341000x80000000000000001453157Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:30.201{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 23542300x8000000000000000397839Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:31.888{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=26E8276BC1B0ECFA1CD13CCED86C5FFC,SHA256=467634947EEB392F9071CD5C12664913D4C374D184D34B91CDDB44B045135AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397838Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:31.888{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=FFFA0D4EF922B9CA262130F82036CA63,SHA256=D68AD34608D8900D74CE6FECABB5A407C61B13BF5C3A2B537FAACDD9AEAD9373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397837Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:31.888{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=F3297EF2DE5A08F5C88BDA7FD11C496F,SHA256=ADC057A6BCBEAE6B1F01E5CC6F723489119E121EBE143872C1F0319AFDC0E838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397836Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:31.606{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9C870D687352D5D345A0001989E8B2,SHA256=0AE78D2FE301590CC882C1EC31F7FB6FBBA21F832D73A318CD019978D8FD23DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453167Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:29.879{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60882-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x80000000000000001453166Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:31.697{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001453165Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:31.256{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3B5A4BB3F355BCF9D400EA82290158,SHA256=6B9EDB7D636BEDAAC062DAAA00C3DE63C54A728A68039E9F5570F9EBE950EC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397835Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:31.153{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397840Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:32.608{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44779525FAEC5B43112B2B4DB55FD198,SHA256=696920727D3833B5A7F6EB90BF0D769F0D292F69F2CA8740BF1C2C3212A94EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453168Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:32.260{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC8DDF74D1EC133D8DC755F813B4294,SHA256=FA1123FF19F665018F65586E1F2D3AA9ADD59FFC6D5D8C2F9D6F0A026AD29474,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397843Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:32.244{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53892-false10.0.1.12-8000- 23542300x8000000000000000397842Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:33.747{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01932645F5C3CCC4E5B968FA07A01F5C,SHA256=D5B4319677BFEFEA2DABC1E84ECDB3C049DC13F6FB2B04395678F9B56379FF4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453170Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:33.926{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=73DDE5FE9FBE477F2615D2B09D67B7D8,SHA256=DD52799B10663C4AE8D65946599945887A0C4D19B99A9F6F1B650AB72ED274F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453169Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:33.283{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3966055D36B5D2A59AAF86E78E1C73,SHA256=969FB3C526233FFD0EAC4E6282539511576425069D04A6005B6B4D661239B8B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397841Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:31.338{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53891-false10.0.1.12-8089- 23542300x8000000000000000397857Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.778{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBC32EDA0F88E266A18CA50F3DAAC33,SHA256=3B66A3DB37D6EE47C66894ECE148FF6B2BFC2EC6394B7FB39C04044AA590C0B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453171Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:34.289{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C812F7A4192DED0BECDDF2525116977,SHA256=D764C7C42CD9FAC1C67F2C55C6F557B40ADA61319F4072BBD4896DC79AB3F803,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397856Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.638{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-088A-60E3-760A-00000000D401}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397855Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397854Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397853Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397852Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397851Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397850Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397849Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397848Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397847Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.638{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397846Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.638{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-088A-60E3-760A-00000000D401}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397845Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.638{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-088A-60E3-760A-00000000D401}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397844Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:34.638{7F1C7D0B-088A-60E3-760A-00000000D401}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453175Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:35.952{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7C2D7266F1AD83FA12E491AA7E4BE8C,SHA256=60A74FAD1E6C6743FB9C802B7F6305F2675CFB5ADD5953E58FD61B1DF53A2E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453174Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:35.949{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAC79F159B5F15883A0DCD8A4C8C5E75,SHA256=FAAB8B1D86119C6E1DDD4684053753474F38E8AA0DEC73154395CE215CC4D157,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453173Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:33.673{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60883-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453172Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:35.292{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D1808A0C8C1ED30FB29933D5B99D21,SHA256=4CDE5CFF3930551F08FD94299E47BD77CE2E0A737461A9C8F89B76FCB2E5BD06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397886Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54A7B42DF68A72BE984DA3387317F240,SHA256=393F55D02A7D746E436104C586D55DA58F094C5D9C096F742C7BFC7ACADA75F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397885Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-088B-60E3-780A-00000000D401}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397884Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B0D1113DB67A5B9C2B79B41E4B94918,SHA256=2C5B4D1E969066CF27C1F49F4846EB5442131433455174515A550DF7C71D5698,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397883Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397882Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397881Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397880Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397879Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397878Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397877Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397876Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397875Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397874Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-088B-60E3-780A-00000000D401}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397873Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.825{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-088B-60E3-780A-00000000D401}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397872Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.826{7F1C7D0B-088B-60E3-780A-00000000D401}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000397871Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.325{7F1C7D0B-088B-60E3-770A-00000000D401}16203456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397870Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.153{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-088B-60E3-770A-00000000D401}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397869Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.153{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397868Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.153{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397867Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.153{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397866Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.153{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397865Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.153{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397864Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.153{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397863Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.153{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397862Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.153{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397861Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.153{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397860Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.153{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-088B-60E3-770A-00000000D401}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397859Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.153{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-088B-60E3-770A-00000000D401}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397858Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:35.155{7F1C7D0B-088B-60E3-770A-00000000D401}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397888Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:36.888{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54A7B42DF68A72BE984DA3387317F240,SHA256=393F55D02A7D746E436104C586D55DA58F094C5D9C096F742C7BFC7ACADA75F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397887Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:36.294{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6374CDB02544179EED150745D567EEA1,SHA256=B70E037F38238FF774B335FC9C794F6771B4954C24D3A61559A2B818289C9D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453176Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:36.301{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7832D51A2577733EB11F67E92C0C1B4,SHA256=8083969425B4D95DBF15D67AEA7961EA6A914C48FB32D36E899038D7177EBF8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397889Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:37.388{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6785B0515C5574615E0825D769F0CDDC,SHA256=4D77B9713885B28F999624A245434756526DFB4D4DD1DFC2ABA264416D8BEAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453177Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:37.306{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8909BCD49D6D0456A325F4365B19EA40,SHA256=43AFBBC66C579A9F38D102D2D80530009116D4B5032F76C0311D4EDD60444B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397890Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:38.434{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8FB83795ECB8BD2E4C8338DEFB5ED0,SHA256=7B31963094D259B4CF92A4A64D11E53157A9C06BA550D22DA27FFFFE34EBE255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453184Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:38.606{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=5090CEE709B555E73CF05EB030FBB1A7,SHA256=3ABD8207F0FD0227DB8FAF186F01ECAF2DBA3DBE0C8E0AB7EC1ECCCE4B5FF68D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453183Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:38.605{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=E63E029FA63A4BF8433638FA82B84A1F,SHA256=369258B68BE9201DBFD7C74259A5081A6DC7AB1C0685C6248EC4EE6DEE0CDE05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453182Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:38.604{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=620E930ABB6FED6CD283376F17C20AB6,SHA256=8CF131E59D1422F282F15DFFC241537350985ED468167B52AE1DAE117622ECA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453181Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:38.602{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=4956273DE0960436CA5347C8560D982B,SHA256=7EBBD61D604459E292ECC0734E3C028CFDFFB107DA8BC88101ECA9681D0EF35D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453180Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:38.601{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=3AB933CC593C47D812E0EE2C607D239F,SHA256=04C618B11CBA1E220AE4805CE5AD215BEEF9AAD1C1B3B582D74FE8C92B7471BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453179Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:38.600{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=0375A85A7686E76DC9B19307249A668F,SHA256=26E1843965065CF59A656383080DC67391435433C17ACD134FB8E6BD6F2BCE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453178Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:38.309{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA168FFD889DFC98E982AAD8047EC0F,SHA256=6F540072EF146584810897AA7EB9688C7E7F19495884A7ED8142AA7BE72009D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453185Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:39.316{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FBDB70509FC275A31D08516210E4F1,SHA256=30A92A5986C3AA0B69B657A9583330DCADFAEACBC53973A488CBD4BEA3CA4066,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397919Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.809{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-088F-60E3-7A0A-00000000D401}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397918Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397917Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397916Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397915Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397914Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397913Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397912Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397911Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397910Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397909Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.809{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-088F-60E3-7A0A-00000000D401}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397908Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.809{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-088F-60E3-7A0A-00000000D401}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397907Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.810{7F1C7D0B-088F-60E3-7A0A-00000000D401}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000397906Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:37.447{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53893-false10.0.1.12-8000- 23542300x8000000000000000397905Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.434{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15630150F081856EAD2E76087406AC4,SHA256=74B4B6CC1685383CF4E839CA0F351666F3E04295A6295E31DBCBFEEEF8891D97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397904Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.309{7F1C7D0B-088F-60E3-790A-00000000D401}8641868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397903Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.138{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-088F-60E3-790A-00000000D401}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397902Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.138{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397901Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.138{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397900Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.138{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397899Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.138{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397898Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.138{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397897Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.138{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397896Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.138{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397895Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.138{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-088F-60E3-790A-00000000D401}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397894Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.138{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397893Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.138{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397892Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.138{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-088F-60E3-790A-00000000D401}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397891Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:39.138{7F1C7D0B-088F-60E3-790A-00000000D401}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000397948Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.809{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0890-60E3-7C0A-00000000D401}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397947Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397946Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397945Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397944Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397943Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397942Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397941Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397940Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397939Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.809{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397938Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.809{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0890-60E3-7C0A-00000000D401}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397937Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.809{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0890-60E3-7C0A-00000000D401}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397936Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.810{7F1C7D0B-0890-60E3-7C0A-00000000D401}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397935Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.544{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FDBB8F375CB7B087949FF86CC2A9B1,SHA256=3CC993E03D27BF50427D8E6D03EEDCC12C0279257F52D8E232CD3EBD65320A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453186Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:40.319{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6207AFEE734780A626378C66E8D1DCB5,SHA256=AE5BC0F4922FD4B9E50F7283E601983BF77A3EC3DB8373A98313CE2B6179D86D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397934Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.309{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0890-60E3-7B0A-00000000D401}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397933Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.309{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397932Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.309{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397931Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.309{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397930Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.309{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397929Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.309{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397928Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.309{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397927Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.309{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397926Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.309{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-0890-60E3-7B0A-00000000D401}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000397925Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.309{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397924Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.309{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397923Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.309{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0890-60E3-7B0A-00000000D401}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000397922Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.310{7F1C7D0B-0890-60E3-7B0A-00000000D401}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000397921Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.169{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1404CE3E24FF4AFB4B91BC75E57B587,SHA256=7F4906F7795646C3A1A5901C3D2DEEDBE98E243DCCFF0E7C3EAA27753F3CF945,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397920Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:40.153{7F1C7D0B-088F-60E3-7A0A-00000000D401}3332616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397951Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:41.559{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72410BEA2F0CE4D132BD9C6893D03A8E,SHA256=C0633733823BA25C26DF3FC8D1F3DC14F908F1907B92C773537D67041A4AAE46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453188Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:39.501{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60884-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453187Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:41.327{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93EB049A3B6E51E61E12FDC1E9801C3,SHA256=83D77C1531182717756C6FB751BB5C7CB81121760CDD37CB0A3C32A97E490EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397950Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:41.450{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D31FC3DED98F9BD7DA97F6EBBF1D7B96,SHA256=7A541AF69A52EE5CE6D45914CAC9E8E22E3F0899319512FA39AF71ED9F46AAC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000397949Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:41.029{7F1C7D0B-0890-60E3-7C0A-00000000D401}36481016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000397952Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:42.606{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D165823070350B8748CEE74DCF59EE13,SHA256=BFA7C7F605EB922633FD03424CD22565D2E6DA6B2570EAD779F62995CF505C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453189Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:42.333{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBD0527437579AA9FE076E525C6EEE8,SHA256=F09788983A0A742F0C8447CAE108065B0EB3813C8E917F54F4D2137B544C61B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397953Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:43.606{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16148A7D9F417F5048B39F38AC495A2,SHA256=1CEEDECE5B542AC442EBB22FD4C61753221DC3E23CF31BB0ABA91B5EEDD049CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453190Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:43.341{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66F457A8CB136B0C33989A1C40DFBC1,SHA256=250905B8F2D2DC5E72C00A62CB8EB8E68B317981C2D66DDFC41914B431E95343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397955Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:44.622{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD88902BE196FEE418E0B0ADA2EE17C,SHA256=2273EB27C34194A8823C31DCC8BC0C5C3B83669CDBEA7DB2705619C47F53F6E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397954Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:43.463{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53894-false10.0.1.12-8000- 23542300x80000000000000001453191Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:44.347{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D09CD3AB2038F8B454917AF8DD3B6AA,SHA256=79F9A3961F1E6AF4EE4C31D34F81BB49AEB4C79FEFC961DBA2894A637445A1ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397956Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:45.638{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD56EFE2728FDEF749D9F57D8C3AF11,SHA256=63CF0014AB86B60FE854AC606EBCF310E0775343AB028A248D7A7DE25F5E5232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453192Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:45.351{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452872567F97BAFC24346A58304CDC67,SHA256=941AFFA92027F088A2E060AE71E24328A7381D4FDDF890C69CBAC700DBA3F2C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397957Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:46.731{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8314CE35FDFC99224FF3F68898C0CD80,SHA256=4E5D695312388CAD02EF903DDBA08717204F1F813D60F376322D06500E9EFBCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453194Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:44.587{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60885-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453193Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:46.355{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4093AC0743A7A6B1420F4387089A8083,SHA256=6F46257C81CA0FA23A421748E43AE9482F6701DBB9A1C55638C319F63E97BFBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397958Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:47.856{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C53637FF610A57EA44A2A98B40CEB1,SHA256=0D463340C03CBB60CCAA95BE54A0525E738D7A23EA53D4513B0BF64CE2FA8AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453195Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:47.360{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=772EAEE3DBD03A85F31EEA179FF1D6A3,SHA256=D8DD05F447A69B92BD31C1F72446D33CD167F30D486AA583E72BEB7E45431C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397959Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:48.856{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1236564F7A522DE852852D6CF020399,SHA256=BD2D7748A673F4BB6FA8BE212D28A19C6E29C504940BFBD119C168BB429F9745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453196Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:48.588{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288ADE8C1B5FF8283044F4896206730C,SHA256=78BB346EE069A8D7480A7A0AE5E82D4FDCBB9C6DECB95FEAB857EB1148610517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397960Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:49.856{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C5F75BB7DA7CB67BAD5B979189B43F,SHA256=3F6DF367D05627291BFD5E161958E01077DA14F9D128114140BF29F7884C3B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453197Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:49.594{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C367168F2A4042BBBDA15CDD0101D31E,SHA256=03343190737A5696388B1F7232690341F598B01572B07AD1547FA6A548CB6A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397962Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:50.903{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211B68FD5DA5026A71188C9A3DCC41A5,SHA256=C76A74136518DF7564E3701B5C87B1825D466A114E7CC09F648C29A5E8D998AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453198Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:50.598{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66547AF0961F0F65B4C656A5C2449B3,SHA256=4C7177A9342C064F3BE1E132B3FFAAAE991CF30DB91F45ED038D1170CD8B16BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397961Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:49.229{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53895-false10.0.1.12-8000- 23542300x8000000000000000397963Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:51.950{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7434FB3DF6A40BD2FABA6725CECBD241,SHA256=700B9772E83CBC83148DDC677193CD03F2DABEABB84E58DD70089739FA3D86D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453200Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:49.670{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60886-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453199Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:51.608{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C986831405EF61F165A7CB1820F8577,SHA256=A9C173F33A0198AF09D63E4A9190048BE36AF06B7A70915F6AEDFE3EBB70A2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397964Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:52.950{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047C820B9FDB42D967A903C84312BBF6,SHA256=7855B86EA0AE3A9A732DDC2A16B05E9C9A063C26C4FFB83DF43A0616F9248DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453201Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:52.611{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386608311BBA6D0A4DA6919074208E13,SHA256=5C44CA25AA687B8FE1BD40FAC131829C8783891F6B2EB1BC6E41BE3DACE105D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453202Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:53.617{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5048FB5ED84C6C7008D16E526B9C592A,SHA256=69650672CF8D3CAFFC472EE47F9AC9FCB9B6EF2B8D32ED9A073718DC94354FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453203Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:54.624{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB55ECC88CEACAE9C6A7A95133ABD3C,SHA256=07D5F4EF81360E4766B46401CA4D1285239D0DB784D7F2D9C350FEBD669DC728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397965Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:54.059{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13D4791A9DF8D348695A56F64F574E24,SHA256=99A3D1DEF1ABB03CFF1AF1CA8F64DCB9D9598EFD8930DA47CA35D79CE2959F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453204Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:55.629{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C5378036D10A8A19189B0A42DEC4CC,SHA256=9A177D76D4D2C00255D215D6BA55EB593CE9B9078555348D919EDE6E9F9FE7DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397966Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:55.075{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D80EAE1A4BBFC782EB572D64C47CA4B,SHA256=D6D21F367570635DCD8C7AA35F9A17817F70CE06E0D0F4400E1F9B70953B1E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453205Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:56.636{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055E05EE0ED05DA8E0F11BAE938401E4,SHA256=7F95E241A87AAACB75F1080D493FFF411BD7DD70FD1558F5536CD770CC64E40A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397968Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:55.244{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53896-false10.0.1.12-8000- 23542300x8000000000000000397967Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:56.106{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2177965D75A8E6BF8CE4774717E05C5,SHA256=65812BB0E98CD17D43C0FB6F486E3A9DFE2A866A7571E5CE7726EFBED70E8AAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453207Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:55.485{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60887-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453206Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:57.662{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C99048405096C6E3059375AA19FAA5F,SHA256=7F063CA46E74B35EB0D8B24E0525F47F2EB35080D7059CB31D5FCF7A9DBF6035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397969Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:57.153{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B6E107D074D87E9C332BC7032D9BE7,SHA256=BD3E921D14B2AA1580ECF464F241C5CCF608C08FAA3E03FEF685275887958938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453208Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:58.680{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76E19DB8C5A7ECA6773C5A98085D791,SHA256=9746F86765C94A8AB6F2C3B79D34E0D35A75B9D03607F98B23E6389132168791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397970Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:58.247{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F409C257D7C706ED85F3B3E1332333F7,SHA256=A2DB054044CC2976DFDC1DBB7EB3537FEE11D7067D7B8FBB90F125CD2F4615E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453226Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.860{D694AEB8-08A3-60E3-0F0B-00000000D301}11526044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453225Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.713{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08A3-60E3-0F0B-00000000D301}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453224Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.713{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453223Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.713{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453222Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.713{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453221Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.713{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453220Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.713{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-08A3-60E3-0F0B-00000000D301}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453219Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.713{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08A3-60E3-0F0B-00000000D301}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453218Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.714{D694AEB8-08A3-60E3-0F0B-00000000D301}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453217Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.698{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38197831F8D1AACC45B6BB3213606333,SHA256=FC11CA127397E8D38D09D5F99598F90BB422E3C509171F802370980E5B59565B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397971Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:59.247{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2F328F756F3696CBC3BF557E67F884,SHA256=FD260E45AF601D750818FC1366ADBE44DCE9BE5D07203BBC66F58A795A9E4532,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453216Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.098{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08A3-60E3-0E0B-00000000D301}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453215Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.098{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453214Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.098{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453213Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.098{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453212Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.098{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453211Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.098{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-08A3-60E3-0E0B-00000000D301}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453210Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.098{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08A3-60E3-0E0B-00000000D301}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453209Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:26:59.099{D694AEB8-08A3-60E3-0E0B-00000000D301}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453237Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:00.712{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA0D646618B3DFCC2EF0304CD33CB75,SHA256=FFE71E993BAD79C3672C146AC2CAC65CBB69541E85BFC633884F432637A03387,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397975Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:26:59.053{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-63588-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000397974Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:00.434{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63AB77C67D98DEEEF6F3763699CC63C0,SHA256=AEF2356154F071390FBDFF59A49869AB3745DADFA85CA5AB146CFB7DD4B7BB52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453236Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:00.313{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08A4-60E3-100B-00000000D301}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453235Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:00.313{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453234Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:00.313{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453233Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:00.313{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453232Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:00.313{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453231Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:00.313{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-08A4-60E3-100B-00000000D301}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453230Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:00.313{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08A4-60E3-100B-00000000D301}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453229Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:00.314{D694AEB8-08A4-60E3-100B-00000000D301}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453228Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:00.180{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A883F9D7EF56EC0AA95CB6C6549EA771,SHA256=75C89807759A2583035FAE148DBE27BC4747135FE92111AB6F7EC50C602A21A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453227Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:00.179{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7C2D7266F1AD83FA12E491AA7E4BE8C,SHA256=60A74FAD1E6C6743FB9C802B7F6305F2675CFB5ADD5953E58FD61B1DF53A2E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397973Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:00.169{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC795E6447736A2C9F75666EA0FE78B9,SHA256=3F1320AE9E7EAD3CBB049296D95DCEC7EBFFF3FCA810E3F84AF220D31A382C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397972Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:00.169{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FD14C99FB8B513C500BBBBC478477C6,SHA256=7FD2DB8341B171EA44575EFCF928A84682F346C815033D3832681765FF9C3D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453239Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:01.727{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4103CDA30CDB783B721D7FF4B241668,SHA256=21E45D934202BF13838B9FFC4D32DE869888050AB518C2D09E6BDC741321B99A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397976Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:01.434{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B07206CEC834A84A8C63DCEB549B443,SHA256=876B9A0AA2C80DC27185EE2FBF313E7DB3B885114B260925C64D25D9829C1930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453238Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:01.327{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A883F9D7EF56EC0AA95CB6C6549EA771,SHA256=75C89807759A2583035FAE148DBE27BC4747135FE92111AB6F7EC50C602A21A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453252Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:02.957{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08A6-60E3-110B-00000000D301}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453251Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:02.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453250Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:02.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453249Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:02.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453248Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:02.957{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453247Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:02.957{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-08A6-60E3-110B-00000000D301}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453246Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:02.957{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08A6-60E3-110B-00000000D301}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453245Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:02.958{D694AEB8-08A6-60E3-110B-00000000D301}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453244Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:02.741{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A03DA0C56FAB730FA0CB03FCC2FEF94,SHA256=B2509CBF0DE88734A8CDEA47C9762DD0DFBCEE440CB1DBFBA9D92C5AAEA21BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397977Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:02.434{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D725876BC4961963B4A563941180A51,SHA256=6359206CDF594CF7B93650082CCBD127778244B3933477EC915979830BD50831,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001453243Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:02.457{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\AlternateServices.txt2021-06-30 11:32:16.512 11241100x80000000000000001453242Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:02.457{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\SiteSecurityServiceState.txt2021-06-30 11:32:16.412 23542300x80000000000000001453241Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:02.457{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\AlternateServices.txtMD5=39567A6E94A1FA4639334C9A981B861C,SHA256=251403F7343DF1CC7B28120845DA6E4902ED334D90BE534DF507947C23755C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453240Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:02.457{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\SiteSecurityServiceState.txtMD5=FD8BCF89CAC6008219606EE0A7FCFC1E,SHA256=B25D5AF5E546F9F05C985FF87CAAA0813CA7379A760C439241578C3EFF18861F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453268Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.794{D694AEB8-08A7-60E3-120B-00000000D301}53645396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001453267Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.756{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2DED101CD9F5902FA77357E02F6281B,SHA256=507C9466494BE00A1405D14EEB1242C86630EC83EA07037A8D076EE45FF8B251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397978Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:03.434{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00477000941D6BA8DD771B0B7D9258C,SHA256=979637974D1DAEFBDDD61095B47A8EBD5201DEAC450ADAC34BB45935A4C5E714,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453266Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.640{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08A7-60E3-120B-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453265Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.640{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453264Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.640{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453263Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.640{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453262Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.640{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453261Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.640{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-08A7-60E3-120B-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453260Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.640{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08A7-60E3-120B-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453259Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.642{D694AEB8-08A7-60E3-120B-00000000D301}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001453258Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.640{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a|C:\Program Files\Mozilla Firefox\xul.dll+2d8720f 10341000x80000000000000001453257Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.640{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 10341000x80000000000000001453256Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.509{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a 10341000x80000000000000001453255Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.509{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 10341000x80000000000000001453254Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.126{D694AEB8-08A6-60E3-110B-00000000D301}65646876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001453253Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:00.677{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60888-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453280Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.777{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0CDD860C53FFBD4ED3D2810FCB7937,SHA256=DE969911D1D500265B4B120BCE37FAFC1750C112BD03DC15480726A3B7F95C14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397980Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:04.466{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9132B808C20910F96642DE79FF6CBC60,SHA256=2E46CE6AA3AEEAB9358BA5A900E97C9E0167BDC7E21A59149A94E0E8CAD5A28A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453279Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.576{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453278Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.524{D694AEB8-F83C-60E2-EF08-00000000D301}65721864C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453277Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.309{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08A8-60E3-130B-00000000D301}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453276Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.309{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453275Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.309{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453274Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.309{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453273Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.309{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453272Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.309{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-08A8-60E3-130B-00000000D301}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453271Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.309{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08A8-60E3-130B-00000000D301}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453270Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.310{D694AEB8-08A8-60E3-130B-00000000D301}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453269Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.094{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAE8672C192A7776F12EC40D0F27454C,SHA256=82C89DED0782DC9DC7B9017C3360CC0BCBA4D0AA4A8BC677E3B20F7B8E738B67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397979Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:01.260{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53897-false10.0.1.12-8000- 23542300x80000000000000001453295Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:05.807{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C427516AD5189194061A0392D2A13E,SHA256=905E9590324188AE3E572DC3947111B6965D9C5B73B753A52CA047F4FEB5FFDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397981Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:05.497{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82DDB99D4636B4AE7F7573E68B28B9B,SHA256=9FD7E50BD40E2A76DC3820A1E5750296DE833455E97CFC600D35BA985C3D1650,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453294Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:05.371{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d8d317|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede 10341000x80000000000000001453293Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:05.371{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 23542300x80000000000000001453292Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:05.339{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D6DBD68FF819E99E7BCE0BC8B85433D,SHA256=2ABAFAC4BF8CF56B0482E79F8C5FEC5A763A80E8BBBA9A96A685D6A7D9C904EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453291Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:05.155{D694AEB8-08A8-60E3-140B-00000000D301}65684608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001453290Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.322{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60889-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001453289Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:03.322{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60889-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 10341000x80000000000000001453288Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.992{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08A8-60E3-140B-00000000D301}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453287Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.992{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453286Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.992{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453285Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.992{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453284Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.992{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453283Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.992{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-08A8-60E3-140B-00000000D301}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453282Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.992{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08A8-60E3-140B-00000000D301}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453281Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:04.993{D694AEB8-08A8-60E3-140B-00000000D301}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453296Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:06.822{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E162E775F9FF31D86C0DB8D62D374E,SHA256=5B95A61E2E81428BE5433429A23A04F0B9D9BC4113D102D6D3A8D4C40AFE50EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397982Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:06.544{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E826C314718062CCA872AA4971FC7FF,SHA256=419A92434A93779C5173877342E1C274F1B8D9FB44F9D6C80D9C99312A08D8D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453297Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:07.836{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBF14E35141C1A38CD4720A42E03E87,SHA256=AD7F6B40BB64019980CB0CB124C16AABC2F5F4BCDFCEE3B2BBBC7003CB6DB0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397983Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:07.544{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D16B1A508E329B121F68D5D23F0810B3,SHA256=FC3E66D94F52D5F6B752054BAECE7ADC526F51E8B817B957734A5CBB0A5EAD84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453298Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:08.851{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD545C618FA4C9D583048318366C4B7,SHA256=0E8113BEEA2BDF9641D82ECA73563F9B640CC071E50658AEBD06DA57687C907A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397985Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:08.559{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FD450C987953C2AB78A82C6D95C1FB,SHA256=5EA27E15CFDAA0B0223D6CEA4B0A89E495960B538CC6138E3F67510CD32E617F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397984Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:07.245{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53898-false10.0.1.12-8000- 23542300x80000000000000001453300Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:09.869{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DD872736269A3384E1BA17AAE18DB7,SHA256=267A2560AAC3015651CE6BDF14BD071F301CD3E09F3F8A7C5C0E46B8AA5BC3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397986Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:09.559{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAE39E55E449B4B37D9CBAC43776CA3,SHA256=CCE6C532EDE4466AD9E251475177A65F312383EC34E37B3CC3B0CEDA151D4B86,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453299Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:06.702{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60890-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453301Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:10.949{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21CF30B8E214E8230D9CAE8204DB2477,SHA256=97A8EE6801AECF6F3E54BFC4C0CD3EB6AFB968541DC24CACDAF11FDA0F886D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397987Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:10.560{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9BC216344B9ADCBF9096D13C38BE76,SHA256=09F9DA5F434B2D05D33FE971CF25E9E6B059B669F1D6707D3639A9661302CF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453302Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:11.966{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189E0A711A02AAC893187690817F02B4,SHA256=1F87DA8419D737FC9D6FFF20994FE682EF699A6919F351C9A833AF96BFEAD6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397988Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:11.575{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB00706B8B21407D65C1DA0B4469556,SHA256=F097DC1BC1E4C1091B6843129BC925AD676693EF837883ED61A05AC31EE27A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397989Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:12.575{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60009A1BF723D7C110AE19E4823073DA,SHA256=642121F892B90BE96E08BDBEA0598571CC4845332B1FCE3DCF698A192081F799,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453306Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:12.900{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a|C:\Program Files\Mozilla Firefox\xul.dll+2d8720f 10341000x80000000000000001453305Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:12.900{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571 10341000x80000000000000001453304Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:12.785{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d87090|C:\Program Files\Mozilla Firefox\xul.dll+2d86f05|C:\Program Files\Mozilla Firefox\xul.dll+2d86a87|C:\Program Files\Mozilla Firefox\xul.dll+2d8654a 10341000x80000000000000001453303Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:12.785{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 23542300x8000000000000000397990Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:13.575{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552F97CA899675728BFE03DCAA46B833,SHA256=58A915F8B66625C7D4D28DA77FA6DCC384B766B8CFF6F185E71FE3FE3B764602,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453309Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:13.568{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+169a00f|C:\Program Files\Mozilla Firefox\xul.dll+6828c0|C:\Program Files\Mozilla Firefox\xul.dll+17948c2|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002|C:\Program Files\Mozilla Firefox\xul.dll+2bc0571|C:\Program Files\Mozilla Firefox\xul.dll+2bbf9e4|C:\Program Files\Mozilla Firefox\xul.dll+6177f1|C:\Program Files\Mozilla Firefox\xul.dll+2d81e48|C:\Program Files\Mozilla Firefox\xul.dll+2d8d317|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede 10341000x80000000000000001453308Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:13.568{D694AEB8-F83C-60E2-EF08-00000000D301}65726576C:\Program Files\Mozilla Firefox\firefox.exe{D694AEB8-F83D-60E2-F208-00000000D301}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+122efe9|C:\Program Files\Mozilla Firefox\xul.dll+122ef09|C:\Program Files\Mozilla Firefox\xul.dll+122c730|C:\Program Files\Mozilla Firefox\xul.dll+122cc44|C:\Program Files\Mozilla Firefox\xul.dll+16b3e21|C:\Program Files\Mozilla Firefox\xul.dll+6817b9|C:\Program Files\Mozilla Firefox\xul.dll+6816c4|C:\Program Files\Mozilla Firefox\xul.dll+6814ad|C:\Program Files\Mozilla Firefox\xul.dll+6810b4|C:\Program Files\Mozilla Firefox\xul.dll+17948a3|C:\Program Files\Mozilla Firefox\xul.dll+17947f4|C:\Program Files\Mozilla Firefox\xul.dll+67fb0d|C:\Program Files\Mozilla Firefox\xul.dll+17910e7|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+179b388|C:\Program Files\Mozilla Firefox\xul.dll+178f3e6|C:\Program Files\Mozilla Firefox\xul.dll+178f8c3|C:\Program Files\Mozilla Firefox\xul.dll+2ffdc1d|C:\Program Files\Mozilla Firefox\xul.dll+64392d|C:\Program Files\Mozilla Firefox\xul.dll+63a002 23542300x80000000000000001453307Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:13.000{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2C0468A1B2DE52DF347F7017CB1DC1,SHA256=BE481086F79EDFEFF724F32A4EF7BAE6447387D943613B9B0180AB05840DF046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397992Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:14.575{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4E485FC756295757C6014AF31E7B52,SHA256=721105621AC32FA4C2A044ADF33DE2DB710FD4AA905A026D2FC960092135BEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453312Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:14.582{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=E3DD3ED03F13AC58BBFC234C91AB0A5F,SHA256=CDA56F3DCE0AF485A0FB3427D6368496E35C958E7ACBD2E3CC76A8DEF9973855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453311Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:12.465{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60891-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453310Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:14.014{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2049AD4BC78AFD3C0CDF8F3306DDF6,SHA256=2BE008FA73D11D8A70257B7C86F4C21C6E47C9FC5066D702BDB9D49ED1FAC383,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397991Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:12.417{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53899-false10.0.1.12-8000- 23542300x8000000000000000397993Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:15.591{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1133CC38E4F526275B68B76EF1C64DC3,SHA256=FDCD9DE8776EF0AB939D872EF163FAD9F8AD6D76641B7091E23839BEEEC3E217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453313Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:15.029{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3E36BE116163211721FAA9404FC0F0,SHA256=09B5DC3B64D33ABDD7E148E78A46632536783AEA404B63C7AB1FDA369ADB3037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397994Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:16.591{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173C977BD1ED8145D9CD3BE1B97A784C,SHA256=B02FFFF9C6021604ADD448D66C7AD2CC30CAAAEC5D02940F149B5663790304A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453314Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:16.061{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271AFFBCFD90647A113798F229DCE4F3,SHA256=77BCC2B662D64D0C950E5614E3E34D3929EA99D8C55B871302282118C8B0ED64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397995Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:17.591{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139B40B79EC4E8E0A9C1400C4D7FF032,SHA256=B77E60F692D84790312FD71410D1FB2745F6C47A74D95D5C0E6F0224453112CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453315Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:17.095{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D5622233F51572625DC4F94899BC8A,SHA256=F6218766F8B23C88655569940F8413B19FFDB68963629D58A11A9C4C59424ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397996Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:18.591{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC835189617D2D8E10610ABC09184477,SHA256=6EC79BB2B50521F2615D8D620394BD1E88BF87EA191D7A25C3183B0A0E8AC945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453316Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:18.109{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AF3966974700A945167E33609B9C26,SHA256=74C559A02F6A2CA195BAFD5F85D3EFF55BD8E0C1A9A19D953ECBE4084D1720C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000397998Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:18.401{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53900-false10.0.1.12-8000- 23542300x8000000000000000397997Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:19.591{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0CD3BCDC68F96DA7465D44A1AC0078C,SHA256=A398D28B50B0476CE89B29CAA463B107B29BD2224C652C972CEDE235AB1FD542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453317Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:19.124{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D4081E1845B503A809568691309620,SHA256=84F7693BA719ABC53A2865A21660BDBC315D4D72CADD9A9449E94AA5C9FD685F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000397999Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:20.591{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40075C335EDE96996A09562093E651EA,SHA256=5D1F1C798C83834277C176BCF118A7B07BF088F1EEDCB45CFB491A7A293E62D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453319Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:17.690{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60892-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453318Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:20.138{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B08D4D0C31D3CC1B03EFD3ED4E9B889,SHA256=4FC2FF572381F23F719AB06A5BCD27F06244669161E21A22CA137F11D5E59575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398000Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:21.591{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE99365E1F5FAC06F24F8366C389ACF2,SHA256=1872D9E9D2345201F3384BB2E7BBB0779329CA821E3910840B1065F4948E8990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453320Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:21.156{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1C0ECE2F57EBF4481E6A267401C32D,SHA256=DAC0DF163F199FBE6BC8D6C84CDF7E6E152AB6A5E8D051848188698E014BF734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398001Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:22.591{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D6E99B2A99C76B69A797156060E76B,SHA256=0EEC03911FEEC6B4E23D8ADFA5FEBCEB4841F8DE849763E65A45F68D838D430A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453328Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:22.605{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=9704DEC75205A6825A0BE1BA5CE11ABD,SHA256=7475DA4224199977086B77BE6396F406B59A68F5F65FC66046C1D618276BA151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453327Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:22.605{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=A5D8C55926A71AF13CBD8E963C541078,SHA256=98032DE50F2DEE8D8046F03D8721965509BE9A7FDB2E3F5EF9FFA273748845C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453326Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:22.605{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=7094A6C27C0629A90ED97662E0EDD281,SHA256=1A3B4A6C4F5B4801431506C40DC86D1C20345D75CA7731C7943512E2D8F6B760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453325Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:22.605{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=69FA5DD658F4EC3827295BBE86EBC7DD,SHA256=5B7A25D51E7970B9082052F8B64AB2B32A871386A5F9F12F7CBE4869CFB07B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453324Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:22.605{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=822D879DAF2AB60276BC23F2FA0CDE1C,SHA256=96C5BB2C585498189C7970310394B4FA4F1983DB16A7295D8C336284ADDFC859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453323Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:22.605{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=AF60DB1DC5777E52A90477B792108C64,SHA256=34A03242100E572C9848AAEC72FB3E9BD5EE4FA9217F6572296DFFBD908109B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453322Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:22.236{D694AEB8-B3EA-60E2-0D00-00000000D301}9166272C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1600-00000000D301}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001453321Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:22.205{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E33A6C47680CBD176A23E75C6251DDF,SHA256=EB6CB9D87D6CF76B549DC34799391A1B929E1930383EEB42C17337240917BE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398002Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:23.606{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB237F8AB5DA3308CC40C502895339E6,SHA256=FAC3252BFEB12846C79586564A05B0DB8EDED2812FF8EBCD1DDD276C21F37A51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453329Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:23.220{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE52134CCDFC5922F95C24C639C31CC,SHA256=AE3479E887D67D05CC7002842623F9804C5B7476CE797273B8AB5ABCEED7552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398003Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:24.606{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7086705B1CB9CE5BDF813646FEE58FD,SHA256=CDECEC1421E7F464F0318364B37DF2E7DF875BF239C7F61A99041221393B4BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453331Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:22.701{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60893-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453330Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:24.272{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97825AD02C04C5D43750C8DC4566F830,SHA256=BE595B1695F40FAAD77E5A93C045555D121B9AD01CE3462D8D4F67CD1DD95536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398004Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:25.622{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C82666C8052BF5E9E8E11CD54BBA872,SHA256=231D750F8903A821EF01199F0656FEFAA677A2184EF03826243DA4B946926162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453332Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:25.286{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B10A81F89312B21118226AF245C5363,SHA256=B03005F49C95E0788CD8017980066433A5B893B0CC82BC25B9E6AD0AA5B9D7A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398007Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:24.401{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53901-false10.0.1.12-8000- 23542300x8000000000000000398006Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:26.624{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E08E05A9EB157B8DE2D25FF2F85D20F,SHA256=6903C5E6CF0648101076EC55C333F4108A6447D087F7BE6EC7C7DB3EF3C94767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453333Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:26.301{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7A6C5F8ECA7F0A0D4DAEB0AEF421C0,SHA256=8788AF1FB8480C88FD23EA50DF96CEE6F3E3950FEFC737BD6E70026B1307130F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398005Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:26.343{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=51560E0BD0CAEFE3E608AB30448E254E,SHA256=D7A70386563E5568E655928E83F06BC5D223F5FC77A98A5E0C47F1A7B4149CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398008Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:27.636{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA022C52BC3E12B83BF3E5CC1E6022F,SHA256=1885360C9CCAAFF69999F9C8319A3F7B08CD113D8929B5568BCB1BD61D57B516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453334Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:27.331{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEE0A84DAAF6F2EA9286F2FF86821D3,SHA256=45EC38C346E73FBC80D26D16DA3C4AF6CBC82AB0DF8A8616BE2403D6DD07B4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398012Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:28.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0092B0DA081E217BFB320D0B1CD9545,SHA256=633C26F97DE5CCBF47C0AB34C5A59ED76C33BC07FE2B269914AEA1200022E174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453335Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:28.348{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1264C25A765553E449D8CC637F5F019,SHA256=A73A5C776E24A8D3857F9D1035E84281F5F5310B89B11E91DB3615E763C1F1E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398011Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:28.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398010Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:28.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398009Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:28.246{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E4-60E2-1300-00000000D401}848C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000398013Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:29.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9953F1F0D5CD0882AA98E87BB4084AF,SHA256=9E02690B95849A8B0CF5B475C54887B6CA4B640BDBA63C3FEA449BF02FB7E603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453336Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:29.350{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20179F4A9651B2242E1F705D5B72AB9,SHA256=CF6D011D1BC8F7CB2136E7EC896782FE8383DE7B91E9523326A08685D91ACD22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398014Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:30.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349FF77DF72DCEC52E430B048C3E7C7D,SHA256=A3BCA9A9970C1D2BAB2B460F5128744595BB149C8EAEE6058D670438531B3D18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453339Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:28.716{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60894-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453338Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:30.466{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453337Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:30.366{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCE3CBC1A813B341195308F82B8E738,SHA256=D87E9DEEFCFEF5FA92252090B6CF4969E36039922BB3EBAF6EBCA916867845D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398016Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:31.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8179E7C74B81DBC9A99154DBEA93D226,SHA256=8F4C2ABD8F764AD7B55A5471EDBEECDCC733A2DCACD504FE6BFBAE39B5FB30F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453341Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:29.896{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60895-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001453340Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:31.412{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844877C440C0A14AF628BDD42C9C9BD4,SHA256=270D42C638E47CB2A39DB2283907104628BD0E28E40B512A97A323CA0C9705CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398015Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:31.170{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398018Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:32.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E7EEA42929614516D2229AA6B8800B,SHA256=940AB31A590B5ED2C7F900CEF9B5AD7FE15E2AA202803B0098B0A19F17A46369,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453342Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:32.445{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C460F1A23A7A27C5BA860CB3D8BD2A8,SHA256=43E0411C5508BE88B1C2C34730BDCB54F27F10980A3D0B52995A5B38A18796CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398017Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:30.324{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53902-false10.0.1.12-8000- 23542300x80000000000000001453344Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:33.941{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9CFE7C926CFEE624EAB292216D4EFB1F,SHA256=D3D57F78076E14D5DD6BACA9F691DC9E2A64F8BA4D37830E7A0D871ABF3FB6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453343Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:33.463{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E3B8CF5845B3D4E7E35DC228759A3B,SHA256=6F3C9273185438194FEDB55534B59B6E89A7BDF902625093DCB2A03CC3313E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398020Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:33.639{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2D86AE02AF8E7D9F6A785E9D3C8833,SHA256=3D455DF7438DFE62F8AD22C0D60506D7404DC1FD7D30B3690B91A189CFD85BAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398019Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:31.355{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53903-false10.0.1.12-8089- 23542300x80000000000000001453345Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:34.478{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE732F2BC1FE1335795FE052A53F8C43,SHA256=A286F8F7E54314F20132BF1345186E9CD4E21A26EDD7A532C4EB6F74914C9871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398035Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.842{7F1C7D0B-08C6-60E3-7D0A-00000000D401}3968824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000398034Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.654{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4150DE758BD7255B33EEC974A195D601,SHA256=EFD37C002E15E781241F01A9886AC03E6DECC2224A1BE7188A6BF20B8046270B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398033Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.639{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-08C6-60E3-7D0A-00000000D401}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398032Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398031Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398030Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398029Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398028Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398027Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398026Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398025Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398024Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398023Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.639{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-08C6-60E3-7D0A-00000000D401}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398022Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.639{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-08C6-60E3-7D0A-00000000D401}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398021Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:34.640{7F1C7D0B-08C6-60E3-7D0A-00000000D401}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000398064Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.951{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65353B5C146BC22637F68D8439492D64,SHA256=FF15AAA5E096F5B0A0A26D8A7C5E235A1253E603B138F2711C1333851AE2D02E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398063Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46258E65F5E7F11F71CEF501E8EA238B,SHA256=9DA2315B86B2AD6B94244F65D4252FF56F5E7FBA0D6CBCBC5F7529CBDAAC7969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398062Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.654{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC795E6447736A2C9F75666EA0FE78B9,SHA256=3F1320AE9E7EAD3CBB049296D95DCEC7EBFFF3FCA810E3F84AF220D31A382C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453346Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:35.508{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EB37CAD2EC71C29CDBB5971EC8BE22C,SHA256=32B989290747B445E79314B19D37A2443708147A611E9C804D31FB0BCB1BC568,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398061Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.639{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-08C7-60E3-7F0A-00000000D401}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398060Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398059Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398058Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398057Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398056Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398055Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398054Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398053Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398052Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.639{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398051Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.639{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081316C:\Windows\system32\csrss.exe{7F1C7D0B-08C7-60E3-7F0A-00000000D401}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398050Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.639{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-08C7-60E3-7F0A-00000000D401}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398049Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.640{7F1C7D0B-08C7-60E3-7F0A-00000000D401}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000398048Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.139{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-08C7-60E3-7E0A-00000000D401}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398047Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398046Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398045Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398044Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398043Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398042Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398041Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398040Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398039Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398038Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.139{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-08C7-60E3-7E0A-00000000D401}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398037Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.139{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-08C7-60E3-7E0A-00000000D401}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398036Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:35.140{7F1C7D0B-08C7-60E3-7E0A-00000000D401}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453347Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:36.522{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD64FC8D72B525C2B85F0FF7A3FE5CC,SHA256=B4974F84620133E6FFC8B3F22FC282F2DC52D2489CB08B1B3AAF43EF1C4D526C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398065Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:36.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A394A07E17B8CA80C05D7A1B369064,SHA256=B2CC3E8189A62421A248AFC5D0BB5501765DF1301354C9547D64DBF10BB3C708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453349Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:37.539{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6CD431C84251F8A23C1CD9CAA20DAF,SHA256=D5D8215B2EC7F69D25BABD7D18C4755DA568E6F2108E2DA53DC74580D8AF3FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398066Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:37.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465E1A959E6EDA643D531FFDEC332B6B,SHA256=C4AB9C0AC4655F2EFEA6DDF5A524B1C8E596F249CA0123529427774FCC33E54F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453348Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:34.511{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60896-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453350Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:38.557{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5FEBBD508097C9584AAB3E045B807A,SHA256=1964E28D01479B0337369C5727B8B1B381AED51922A7D9B429ECE314E550B411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398068Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:38.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171E92108912BDC44467D3522EFD4002,SHA256=ABB92696438DC188EDC1AC50D53B57F51C55DB8992B724997ACE654F6A282248,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398067Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:36.309{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53904-false10.0.1.12-8000- 10341000x8000000000000000398096Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.811{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-08CB-60E3-810A-00000000D401}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398095Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398094Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398093Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398092Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398091Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398090Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398089Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398088Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398087Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.811{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398086Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.811{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-08CB-60E3-810A-00000000D401}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398085Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.811{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-08CB-60E3-810A-00000000D401}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398084Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.811{7F1C7D0B-08CB-60E3-810A-00000000D401}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000398083Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BFE60BD06996F208855DC3F92CABBDC,SHA256=E9AC788E22F7BCD99C041D39F0F65DA650D001337F9A7DF8E0F60B9811119162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453351Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:39.603{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D45C1C8C7E769BA1B1D4AEEF5ED8AF8,SHA256=D6B0701794C7CE86271F4516B035D115A1EB407105BF8BE03F77796BF8B3DE07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398082Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.326{7F1C7D0B-08CB-60E3-800A-00000000D401}10681816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398081Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.139{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-08CB-60E3-800A-00000000D401}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398080Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398079Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398078Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398077Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398076Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398075Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398074Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398073Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398072Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.139{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398071Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.139{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-08CB-60E3-800A-00000000D401}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398070Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.139{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-08CB-60E3-800A-00000000D401}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398069Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.139{7F1C7D0B-08CB-60E3-800A-00000000D401}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000398113Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D475C5A30C32326293C3C352314E0820,SHA256=E451E72766CA0A8D804BBDC524C22B1A71B87D7E64FAE54E9AD54F7B87A2B3BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398112Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.686{7F1C7D0B-08CC-60E3-820A-00000000D401}28523840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001453352Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:40.617{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678BC667E311039A0114041F7D194118,SHA256=F9B2672C30EDB890A58224BB855502645873CCAAC7F0F7B49F31EACBFACAD40F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398111Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.482{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-08CC-60E3-820A-00000000D401}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398110Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.482{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398109Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.482{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398108Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.482{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398107Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.482{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398106Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.482{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398105Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.482{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398104Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.482{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398103Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.482{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398102Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.482{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398101Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.482{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-08CC-60E3-820A-00000000D401}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398100Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.482{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-08CC-60E3-820A-00000000D401}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398099Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.483{7F1C7D0B-08CC-60E3-820A-00000000D401}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000398098Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:40.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46258E65F5E7F11F71CEF501E8EA238B,SHA256=9DA2315B86B2AD6B94244F65D4252FF56F5E7FBA0D6CBCBC5F7529CBDAAC7969,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398097Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:39.998{7F1C7D0B-08CB-60E3-810A-00000000D401}40243056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000398128Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.779{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4204CC212C5210412839BAA454DC2F,SHA256=9050C8371BFE659568993946201794A6B9756B7EFF103D063F48AA6EEDAC04C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453353Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:41.634{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08B1C0BBF82778909C06DFB4FD5F1F2B,SHA256=896A28CF79F46BED522A83D3869113E211B661BEB04925C2CB087C825C2396C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398127Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FCA1C785E08046EAEC74FDE30937C7E,SHA256=341F4C7B4024F7BB2C55D63CE156516F1C34185DD4D55EC3BE420BE058300765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398126Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.154{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-08CD-60E3-830A-00000000D401}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398125Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.154{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398124Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.154{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398123Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.154{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398122Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.154{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398121Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.154{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398120Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.154{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398119Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.154{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398118Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.154{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398117Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.154{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398116Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.154{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-08CD-60E3-830A-00000000D401}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398115Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.154{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-08CD-60E3-830A-00000000D401}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398114Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:41.155{7F1C7D0B-08CD-60E3-830A-00000000D401}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000398129Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:42.858{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5641A2B0220E2D01BB010DD88B9BB6E6,SHA256=39E5F0BF8BFF8C7378F856E2BA324A99E6D1BDFEC3871C245657448C85B9F7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453354Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:42.653{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7BAB2D691450337573DA39A8C1B9DC,SHA256=F6B25A560CFE55725733F9AA50C2DDF7C4930CC6FBAC12B7E82AB9101A73CEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398131Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:43.904{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF29B3B45BC5FAF05CD55B10D54501C,SHA256=E87EB0BADB76A1C736DCC4E3DA00DB11625C00527694BA9D03581E44DA739458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453356Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:43.667{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D045F11F812A848F6454DB9C7748E1E3,SHA256=BDB3933688AB5F8F5A08BEAECD00A62177A6A76A78E91F232BC559B3D658962C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398130Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:42.246{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53905-false10.0.1.12-8000- 354300x80000000000000001453355Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:40.535{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60897-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000398132Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:44.920{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE18098ADFC0EB3953B9D58C462E786A,SHA256=98D8E22C8B7DDA24CCF1ECF77C81FDBCA21637BEE78F0B93CCCB46E0815FDF44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453357Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:44.682{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D324DF0368B1124628109E4D44943F1,SHA256=D4CE11C104C878A26844FE929F6103E940D575DF76476D58D7B0FE2C821E74A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398133Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:45.967{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5FFC1490577F3DAD2903EDD7A6C348,SHA256=31D4DE8219DFF66A956FD0CC4D510BB0D299C4FA99A2F5E8D2155368AA72994B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453358Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:45.730{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81754C9DC1B80720AADDFC5AD5E353E9,SHA256=81AD769AD970D5F3DA56431732FE4AE5834FF53ACB0C469D01F3228A19C36415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398134Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:46.982{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F6BC67DDD34770DB45D0D95B5573CB,SHA256=A424E53F449020D99818B9F48663702B2CFB7FF1659590420A794730F3E9AE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453359Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:46.748{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69B384BEBBD466DACEB3249AB45C1CD,SHA256=D48CA93ED07E1B236E15B855D2B5F03956EDA267E725223D826E67AE53995A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398135Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:47.982{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC1AFAA4AF1864CF75FC79807BFA33F,SHA256=7E6B4A88AAD65948929BB36AA459D0825879398EADD118DDC4541988ABB956E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453393Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453392Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453391Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453390Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453389Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453388Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453387Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453386Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453385Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453384Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453383Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453382Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453381Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453380Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453379Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453378Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453377Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453376Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453375Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453374Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453373Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453372Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D134-60E2-1A04-00000000D301}4664C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453371Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453370Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453369Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1C04-00000000D301}4960C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453368Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453367Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453366Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453365Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453364Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453363Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453362Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453361Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.862{D694AEB8-B3EA-60E2-0D00-00000000D301}916936C:\Windows\system32\svchost.exe{D694AEB8-D135-60E2-1B04-00000000D301}4864C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001453360Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:47.763{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AECD5A6EABBB0EF8248C6B2907031C7,SHA256=394C86FD80E3EEF2C1286CF0EAF2F4B50317467F19A82D68741CDCD5565CD16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398136Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:48.982{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83305C0DCEDAA3A9913E6A9E4598EC19,SHA256=914A1CBF81753380216618B6B98B412A4FD1A7AA7D11305ED52246111865ABDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453394Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:46.575{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60898-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000398137Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:47.449{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53906-false10.0.1.12-8000- 23542300x80000000000000001453395Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:49.145{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC861A4AD48E89AF5370C67D49C9759,SHA256=E64F032BF32D8495C5A99D1F4B7D77053909AC4787A716B981C19BF2F0755739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398138Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:50.232{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA779899A9A882A1B6F28E7580E1095,SHA256=1F6328A73ED422A7AAB268856930169C5490C54245B5DB0AC033E18DC4D57660,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453399Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:50.424{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453398Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:50.424{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453397Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:50.424{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3EA-60E2-1500-00000000D301}1244C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001453396Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:50.160{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE036C2BEAD53DF8633BB445ED14A1E,SHA256=10647C7544896E049775236C50EC3FCD56D0D71A85F4BBCBAF6038574F160CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398139Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:51.451{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10DBD57363BF14D5F7AB6E6B64D367B9,SHA256=FDE584B74D33AC1E97D404E9797C7240D420D957B3D1345D28B563B5F4D2D68D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453400Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:51.175{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C0CA63EC45CC8CABF5716B52790E6F,SHA256=497839794CD1341CA1E85316815745862CD921328B48F34954014D62D95BE24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398140Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:52.482{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F80BCBD327E0CF29154BD770E5A5A66,SHA256=C60B18E4FEAA72579DC3726EBE7FCD894E552E6B9BFEBC9315BE875FD74B28EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453403Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:52.773{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C675E29D77560C5A423D4777221143C7,SHA256=637A9FC9DF81762FAE0BF5269106A13CE6EAE53FCE426ACDC23CCD2D591AD9A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453402Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:52.773{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB5870E03A4EFF1A85A3DAF420A6982A,SHA256=D1DCF9B9500FF8A04A522A4571963E634013C3E3B16AFBC9F1C0BD8A04B9F666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453401Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:52.224{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A0E0D474EA2FD4A7A56B7684B2640A,SHA256=48E9E197FBD215D9CDD118EE8F962675F94B60E150BB8286EFF0E7B1E0CF2137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398141Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:53.482{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8541F4F07296DF89997D4520C5F5556D,SHA256=75CA016C058A32C9AFDEB8FD35E2D5F590F83A0B8228CE610FD0EE9F4D80452C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453404Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:53.241{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C381E8017FDD7AA08C5BAF6D967CE6B,SHA256=11DF61559112E1729FA4E1A67A8FE5E00826C27F60460EE67ED3627B7C9E9890,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398143Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:53.450{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53907-false10.0.1.12-8000- 23542300x8000000000000000398142Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:54.498{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56297871DC42C1B4AF9907CB26145AA,SHA256=3080609682B2E5BCCBABDB13114699D03810CA8430E7AC6164237F6D176E3255,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453406Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:52.591{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60899-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453405Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:54.255{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D984EF4DBACFDD8CF9F2371BCC98B664,SHA256=1FF822DA217ADAF34243B280F5989E201576788684E7A76C6241C8D09F7CC25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398144Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:55.529{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72592DB40CA64856CD7E8417DE41F5C5,SHA256=57682D25F6F8B510A87FBDE49A476019B13308FA1A4BF816BE84A563CB148377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453407Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:55.270{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CCAE8891D8A43D1783880ED1607653,SHA256=26CB2DE6D5656D6FEA8D048BA03AC07F7155C62E1F1FCD9D8566DEE1880E4C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398145Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:56.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AA51AFCC5E8A85AF614BDCEA57E425,SHA256=800B1D4DD2F30569CC027AFD4E4CE201A43219B5EB7C499145CC3ED45E569CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453408Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:56.300{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C30D897D074C753E2FD515AE97F7AB,SHA256=4201CC783D6256C45B947D6D40613019965034C2EF76C41A7FD19DC5C988088A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398146Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:57.670{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C1AE325E1C819ECD2C59268C6DA860,SHA256=2C121FD9321C3F39EAAA1EE0836306A09B7EF0E6F2E618314DD68ED15CEA46D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453409Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:57.318{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178A650A3B9EF57A3B2837F56814D279,SHA256=370CCD2BCC12CF3C34AA9F0939FE505FD8C97047840CD47D1D57D909D3E66C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398147Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:58.686{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269678DA0E595B1401754BD4EDD6C75F,SHA256=511855FE4F15DA8D7B3E270D3C7C94657515AC9152A7DBA479B6DDEF396CB5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453410Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:58.335{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148C63FF2C00B2C32B2FCA870A94878B,SHA256=5D8D9802F5D18232C9957574C3D0CB3C1A6F0ADA66C450ABB39F7B0DDBAF307D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398148Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:59.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB79D1D07346F7FD0A601424CE1B3281,SHA256=91ECFB771529ADBBF451B7E1ACEC59532D6A726CDA60C80ACCBA8EA30E4BC07B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453428Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.818{D694AEB8-08DF-60E3-160B-00000000D301}6680388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453427Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.665{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08DF-60E3-160B-00000000D301}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453426Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.665{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453425Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.665{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453424Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.665{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453423Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.665{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453422Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.665{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-08DF-60E3-160B-00000000D301}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453421Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.665{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08DF-60E3-160B-00000000D301}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453420Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.666{D694AEB8-08DF-60E3-160B-00000000D301}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453419Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.350{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BBBF6A93442B6FB6A5D10291C1FD511,SHA256=99738E4508CE2C460C1D239953EBA259ED3A3489B91FE28633303228C79AA10C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453418Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.118{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08DF-60E3-150B-00000000D301}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453417Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.116{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453416Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.116{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453415Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.116{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453414Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.116{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453413Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.116{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-08DF-60E3-150B-00000000D301}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453412Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.115{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08DF-60E3-150B-00000000D301}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453411Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:59.113{D694AEB8-08DF-60E3-150B-00000000D301}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000398149Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:00.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0412CDBC3E389A20C5D4B79295AE12E,SHA256=BBFF24F9DD2DE19E067153B823BFA01D807EE61665F66998872876AF6965BB94,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453440Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:27:57.600{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60900-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453439Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:00.364{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103D90B8A5BCC978EDAFE07A6DFC2566,SHA256=D93D50AE7A70CD5553E827BEAB658EC026F648995B62E5A3823021006C1C932B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453438Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:00.280{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08E0-60E3-170B-00000000D301}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453437Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:00.280{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453436Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:00.280{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453435Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:00.280{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453434Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:00.280{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453433Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:00.280{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-08E0-60E3-170B-00000000D301}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453432Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:00.280{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08E0-60E3-170B-00000000D301}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453431Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:00.281{D694AEB8-08E0-60E3-170B-00000000D301}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453430Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:00.133{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27EFEA396EB968D1B349C320D4D4FF61,SHA256=179C00178EC0FC487954BA0898E98F9BC373B7839565ED691490512FA6DDF6D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453429Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:00.133{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C675E29D77560C5A423D4777221143C7,SHA256=637A9FC9DF81762FAE0BF5269106A13CE6EAE53FCE426ACDC23CCD2D591AD9A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398150Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:01.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADB6868BE5CC7B8FC5D6828C0A77229,SHA256=86E26E6AA3AF89C0973AEE8B7E24C7DAE65F2BF15D1618DB9125D6F05E284599,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453446Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:01.978{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55af0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001453445Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:01.978{D694AEB8-D134-60E2-1A04-00000000D301}46644760C:\Windows\Explorer.EXE{D694AEB8-F83C-60E2-EF08-00000000D301}6572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+555d1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802AE65A8C8)|UNKNOWN(FFFFFD032B8B4A68)|UNKNOWN(FFFFFD032B8B4BE7)|UNKNOWN(FFFFFD032B8AF271)|UNKNOWN(FFFFFD032B8B0C3A)|UNKNOWN(FFFFFD032B8AEEF6)|UNKNOWN(FFFFF802AE371E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001453444Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:01.978{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF14bfce4.TMPMD5=7CC92A355EA66A219E3148903E63F654,SHA256=CDE288AC5D74287BFA2D9257B236405535586530C59E6CD093A4AD9FE7326A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453443Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:01.970{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\aborted-session-pingMD5=C0B66E87B1A0703179C9AAB95221D9EE,SHA256=B0286E0344A3B4B06E9056087ACD79FB0311A77E42C6FA24EA0156EE0AF6A5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453442Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:01.394{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10074ABCE94DFF1772306EBCE2692F9,SHA256=107F0AD0367D6CCD435BEA51476FA79AA3AE4E0F2F920937326C0C655D318A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453441Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:01.378{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27EFEA396EB968D1B349C320D4D4FF61,SHA256=179C00178EC0FC487954BA0898E98F9BC373B7839565ED691490512FA6DDF6D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398152Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:02.717{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC34C790803765CD014DE363F82ED2E4,SHA256=DA8D3813B8D865BA45BC87798A30F90AE62D66B93F0E0A046FC013A566435ED2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453455Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:02.960{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08E2-60E3-180B-00000000D301}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453454Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:02.960{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453453Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:02.960{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453452Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:02.960{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453451Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:02.960{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453450Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:02.960{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-08E2-60E3-180B-00000000D301}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453449Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:02.960{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08E2-60E3-180B-00000000D301}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453448Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:02.961{D694AEB8-08E2-60E3-180B-00000000D301}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453447Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:02.412{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74D7AC8D25478D18E3D538BB044F504,SHA256=B7A1DAFD9E07EBD97202769D64379EB7417E4CA9A5C366806A24BE98C3D0B304,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398151Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:27:59.434{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53908-false10.0.1.12-8000- 23542300x8000000000000000398153Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:03.826{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0144B29FCFFA7540F2717D7B7E00B14F,SHA256=35521DBCBA1321FF8556BFC0F7C90B9C6CF92C23BFE60D2AE231435F51DEC3E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453467Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.975{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB571F47F9672BC7BC317EA93181460E,SHA256=784FFBA3BD9A98535893CB62776A32A39567E049D29477FC0260FC2E261101A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453466Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.791{D694AEB8-08E3-60E3-190B-00000000D301}23204404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453465Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.644{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08E3-60E3-190B-00000000D301}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453464Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.644{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-08E3-60E3-190B-00000000D301}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453463Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.644{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453462Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.644{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453461Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.644{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453460Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.644{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453459Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.644{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08E3-60E3-190B-00000000D301}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453458Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.645{D694AEB8-08E3-60E3-190B-00000000D301}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453457Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.428{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFEF4152E17C8164497F66E133D1A630,SHA256=674F425D2D5D06A01A2A3ACD38EBA2F3D46844AA2192C618284BED6AAE231488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453456Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.129{D694AEB8-08E2-60E3-180B-00000000D301}3845424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000398154Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:04.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75F1CA4B4EBDAA03F654C9677F5FDD4,SHA256=4032FB7ECD3CD8993AA5365282249475AD26BE08C94FC0B0EF2EC1D255C8100F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453476Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:04.443{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B89598893B74D1F766FF11B755D322,SHA256=196BA216AD3EE88BA990AF787BFB78CAA41F9EA1F91C3B75798FCFC874D29998,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453475Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:04.327{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08E4-60E3-1A0B-00000000D301}5968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453474Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:04.327{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453473Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:04.327{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453472Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:04.327{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453471Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:04.327{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453470Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:04.327{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-08E4-60E3-1A0B-00000000D301}5968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453469Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:04.327{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08E4-60E3-1A0B-00000000D301}5968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453468Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:04.328{D694AEB8-08E4-60E3-1A0B-00000000D301}5968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000398158Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:05.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998F6DE0859B482BCA697B6FDF1B38EC,SHA256=E4E17AB4157264E188E7886C383BEED43107F223AD5358989055E2EBDED49F37,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453490Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.340{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60902-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001453489Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:03.340{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60902-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001453488Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:02.641{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60901-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453487Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:05.511{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08572E2D41260771632877E701D46AA8,SHA256=CE23D26DC526849A0F35AC8F42CED0B5842E381B26341E078D2BBCDC2F0D1E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398157Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:05.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF8A66301A5C83C0831FC084E91D76B0,SHA256=DF6CFE04BF11F065274D37E86CC958FF316A24C22500EDC038D70555576D7A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398156Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:05.701{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76FC4BA7E589F73DA1AFD3E0930B1D75,SHA256=8393B012521A871233DE3B8E6830E7A63AECDE48DC340A665A1FA812EB193826,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398155Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:04.601{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.166-50720-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001453486Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:05.342{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=896F1BDBAC0E3915E1490CF9B629A335,SHA256=5375D6F1AC4E8EC326A9C387CEFEF3A89CBB4A392ABEFE76C100A996ACB84ACB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453485Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:05.158{D694AEB8-08E5-60E3-1B0B-00000000D301}30205300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453484Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:05.010{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-08E5-60E3-1B0B-00000000D301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453483Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:05.008{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453482Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:05.008{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453481Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:05.008{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453480Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:05.008{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453479Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:05.008{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-08E5-60E3-1B0B-00000000D301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453478Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:05.007{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-08E5-60E3-1B0B-00000000D301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453477Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:05.006{D694AEB8-08E5-60E3-1B0B-00000000D301}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453491Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:06.525{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC50780D744B95D5C95792AC106CDCB2,SHA256=F5B06E9F7892CE863724F9591409E9C02C4FCF22AF8CD5D1BFD5D27E80ACD1ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398159Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:06.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488240D90972F5DC90B9236C272EA2A1,SHA256=C13A8C53EE40834930F3BA7F01014C6F372A49E450BCDD4093675B815C6B31D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398161Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:07.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FE7230C8DA531DD9149BCCA3E42FF9,SHA256=D64D6ED2381CCEB12346215FCB8AB784B0348ADD968F7926BA84512063DAD903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453492Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:07.540{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C170378531DBF86BFBD92AD8BB056C2,SHA256=7A59725654F22FC9C1E42064A6F2DDD5512A19C88A2575900EECD578A3302824,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398160Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:05.340{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53909-false10.0.1.12-8000- 23542300x8000000000000000398162Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:08.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC91F857D54D4AA57452041A67E9E4F,SHA256=35BA7DC58D26D4EA3B717DF689B7FD53375708E898FD63C9DF755E6E00042EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453493Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:08.554{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84041B346A2BE7DD1E1EEB376E3FC807,SHA256=3E61256B2C1C31436A1357334E9547DB3CF42B49567DA015CA9DEFCCDBEDF9E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398163Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:09.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F2D02FC1FC435EB3C4DF353BC7A695,SHA256=78A9F50912CB9E8A3151A6A2094184075ADB8F836B7DD252FD96AA4818C5F6A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453495Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:07.651{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60903-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453494Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:09.569{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F417E7C67FC08EEDC9F9C59926D7C06,SHA256=C6C9D5CA2D889DDC9EB3DE9C3158CD3B1653E154FED2BE90B97E31C4B862B325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453496Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:10.584{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C173A445A84A33CAF0CAE54D9C349913,SHA256=D9B02A434807E21D4BA8CFB623407893DBBC2BD64A97619FC316CEDE1EBAE23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398164Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:10.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73E096C3A8A11420303EBB0A5A938A9,SHA256=6E2BCEE94F85099B3B76CB0B1D4879B150B885450A0DA501263AAF698CAB4FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453497Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:11.605{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CC45EFFCEABA46615D9A10777ECD51,SHA256=66BE8F1F0567060CAFBF09C5466C401DD3FC3CF9C0C913659BEAEC47FAA1772A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398165Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:11.857{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1E35F275ABA36A6FCE04344495646F,SHA256=3427594E71B9A1875164BA02B4CC4AA55058402E888EFA15E6F9DAD96BD28F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453498Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:12.619{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BCCF760F3658767A36CD636F41C83C,SHA256=44A6E36FCC01FACF160D90BA1246FEA5B8DBC40506DECB24A11E2EE29B47A4A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398166Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:11.309{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53910-false10.0.1.12-8000- 23542300x80000000000000001453499Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:13.633{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E783872D1F03064F87DD306DC3A397DC,SHA256=B6863B91B60C381D857BC962E25CD1D644D9ACE036850EBAD2ECBCBC21F37086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398167Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:13.014{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81CCC48A9F6D0E033E72F7EF1BE7718,SHA256=D83457BEFA8C88FAFB6BD61D1A427AF5EB0C812F9A2799CD8935C5A463474B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453500Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:14.648{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8312367F652A9C03EB9CD694B8143795,SHA256=F1001E324DF14B03C51280D0FD47E94893186E580EBCB110828E32B954B61DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398168Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:14.045{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44BC4ED22A963529D70C2B4518CAE522,SHA256=73C6EE83F5F959057D032FBD7760904D7A20EE9D77DC47C52E7F652692D76274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453501Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:15.662{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA2A31ABD1D2C1B5F89C329919B1E66,SHA256=AC95AF6C1DD851563AC6961779F7164DCEEE1C3EC7C2CD84FE27E2BDDA01F834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398169Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:15.045{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27EAF0150BEBEB9833CA620DBB7555DD,SHA256=4E6041BC93A25CA82C57866C1BC637D595DCED7A82C8D042E8FCD53FF4762C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453503Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:16.695{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D60CF9BE3CEEC7956F893E53E85DD3A,SHA256=EFF21317978A197CF7BEDB83AD774D05E7DC57B9808B35C3DDF230E248BE072A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398173Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:15.627{7F1C7D0B-B3E4-60E2-1000-00000000D401}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.187-20580-false10.0.1.15win-host-884.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000398172Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:16.654{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0D022B7A9C524BD05D30C3849CE1ADB,SHA256=1DD99F4949F9492FE814B1ABF3F2F9158C607FE56EF034AF5BBC4970AE906139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398171Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:16.654{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF8A66301A5C83C0831FC084E91D76B0,SHA256=DF6CFE04BF11F065274D37E86CC958FF316A24C22500EDC038D70555576D7A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398170Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:16.107{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D4FCDACE66A107857C96F26BFA2585,SHA256=D349BA727F698400E083EFECB5C1CD2B751DB2A22612AAA5EB57317A0A2FF61C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453502Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:13.629{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60904-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453504Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:17.713{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1E93E24A548826CE5C2667188E1EC9,SHA256=C224D7DD287C3964D3B51534E0BFBA204CDDF0016E5422818517001A03004FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398174Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:17.154{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5D290514D21CCE0C0FC1A113F8E5E9,SHA256=14FE2AF861740F963735330614AF442A0EAFE0B84A084DA957852499E393B02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453505Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:18.727{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD962BC316DF2F1E9956EB6163383482,SHA256=F8A8A5A2922B268D4BA4EB29C9043331660A55CFC565A6D273C2E43627007EA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398176Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:17.294{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53911-false10.0.1.12-8000- 23542300x8000000000000000398175Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:18.154{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6778DE1D58929DB6320A7DF0F2471504,SHA256=23C82256D23E46D9BF8E40B995E6E3709FCE3BFB21CC5F97223F6CF892EEAD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453506Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:19.742{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22476A5F9937904A4AFD584302F683E2,SHA256=4E0A6947074D28AD400B3DE477F09720E59F199BDBA7A0232CF3386A7F5F7DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398177Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:19.170{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C643182DDEBE444F30D67F39798D40F5,SHA256=F8BF28F9007A26F57388EFDA08611D91FE29950B97D83C69DCBD4A3854E61EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453507Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:20.773{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60474E8D08862DCB1665C09EE68ADD3A,SHA256=B260226E9045AF69F6BE7CB1873B076E8F7B2C49D1B48852AF2EAD87778A4CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398178Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:20.373{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86C29352EB8FA12F0E76391CFA711D9,SHA256=84598E77549707C531A815756249948B1BC1533FB5206070782BB39A4283736A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453508Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:21.791{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6FD6E3E9F9A2F788CB0864909FC51FA,SHA256=860AE6B673DB12F9ED287E64AB4C6F2F41D690B5B207B3BCD17DBA3426C4B714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398179Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:21.404{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144B2B937C96816FDF11783BD8077822,SHA256=492AE70EBED1E4832E538FE71CE6B7C114C97D09020128F9691DF95F46E0D420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453510Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:22.809{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4969D3FF66AE584B85022EE2FD50BD4B,SHA256=9C0C38DF07BA6DBC69C540527B25362603042E40CE47C46E71835F26D48A1708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398180Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:22.467{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE796DB7A741CD7B52D23C7A0489837,SHA256=EC5B1FB65EB9BA37964E5FBD30643F2D291E598D33CDB8A74220F05ADB199582,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453509Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:19.638{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60905-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453511Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:23.824{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF145473812BC397B36F34D550C025C,SHA256=F619FFB0E796B4EBEEDE398165A44309E3AC23C35501063D22A1CEDB08BFB71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398181Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:23.561{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38638F698A56C31B93FF053F145293F,SHA256=EE080E1D46CA5DC15D01E0B5DB3DB77405F9DDA1069BBC68DE1AC0C9BD6B93F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453512Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:24.854{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4977EAB05A6BFA6550883B33E061E9D2,SHA256=10891751D2D65142394B6F189DC73414671F11C9C50683399D9A336971838D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398182Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:24.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D24D2414D079F0235DD16F9080E022,SHA256=4AC3CDE45291A7B85F7587D63CFE1BA6BF07EAEBF95C4F28B0F913C492C1A9DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453513Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:25.886{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB0666EB7A231A672648A47AD55D58D,SHA256=3D2979239086EEEDC122816ED5B2613925CCE6A65BF7E156796A2EBD361501B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398184Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:25.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF613C2C1B22883EC00C36D85908B71,SHA256=33CEEB73BAACB0404742EC1345CC9013CF4EC8396AB2A7C7A9B08D45146DE102,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398183Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:23.325{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53912-false10.0.1.12-8000- 23542300x80000000000000001453514Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:26.920{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F9CCD059C7FB0EE5ADD50F2A08C61C,SHA256=41A643525B1111A8D965D0EF6261D3920A44AB95E759B838AB697BC6B431B7F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398186Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:26.748{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A532703B9BEDCA6DF511284EDFDAB0FE,SHA256=24C958D2DDFEF4B0EE9626A355090205812CF571A780B8E9AD67DAD8BB276B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398185Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:26.357{7F1C7D0B-B3E4-60E2-1100-00000000D401}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1FA44452C046BF9347F2050B90B7F73F,SHA256=89B1540330FB497AC6C8B25F3B769B6C982861CC1D8994C4C30374A9F40497FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453515Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:27.950{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFD392D59A40AB66EE1FFC8CE6D65CB,SHA256=0215C906DF5CA2EF8218297286AD013DE15F16864302B7094EB65B753A79D0B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398187Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:27.749{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604917CF6D9ED7E26A746E9B8BF051C8,SHA256=0F8D79F15B5C7DC2E8CACFC7D4ABDCB5A5023CC07F1A260E3F7FF1A00BC4B163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453517Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:28.964{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30D2A1EA7AB3831BFE8512260AB74E9,SHA256=84E9C2A27DDFD2EBB9275D1C364A46F07B3D61B64A848D74E31ABDD6E5EE2963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398188Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:28.752{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C559FA8578796FB9FD4D0D3CD596A62,SHA256=FC021553CDEBEBF7BE7710B8AFF2E394BB52FBCF0B5A6B3D80B9E12EBFD403E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453516Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:25.654{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60906-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453518Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:29.981{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0993FC0049C57C0425EBE688623410,SHA256=E454A98346AF257EA5A792AE6D7C3ABE9FF3880F02D225BAF7B950DC821AF6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398189Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:29.754{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9327865656BBE9FBF11BE1269A2034,SHA256=76A82F1C93EE8B7D4F6AA0C16BCF9CE2038A9B4677F750188B1D489A4E05D8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398191Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:30.754{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B44173C2612CC032C6759BB1DE7B5D5,SHA256=580B4FF24B4D89669830D3340ECCAB7C1A80AD270EB7C0E33451FA3A66F6BA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453519Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:30.500{D694AEB8-B3FA-60E2-2A00-00000000D301}2948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398190Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:29.313{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53913-false10.0.1.12-8000- 23542300x8000000000000000398193Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:31.754{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390F765B82FF8CEA6761F8BA9CA80E01,SHA256=5C9B5E9148CA00E839EB68461BDC95514B6F5B16DADEB7F30620D3EF9AFF3303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453520Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:31.000{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D81A77D6CCF8811D265A71AA55BBB87,SHA256=A43E2F1F3123DB8F8778CCFAD589C50C40F8AA3C0B597DD25C7F7E50FBE9A40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398192Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:31.191{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=33EA17C9D0CF150EF3DD52357693C3C9,SHA256=BA4E51F2867FE99FECF90206114B82FA0BBFFFDBB4F9985C47297700F7B60B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398194Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:32.754{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B2E7BA16F60B0BA9D7C1D7430C95CC,SHA256=F838215A20ED42BB8AE792BC9A93655AC38CA840489E5EAA5F1F00E0B53490C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453522Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:29.928{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60907-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001453521Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:32.014{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFCD3A524409CFF5BD9A0F3D916DF9E4,SHA256=FC4D202150C5F9AD38A9AEBC85077236488155BB057E167CA4F4A96671A3F0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398196Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:33.754{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A710816924CE89D861F326287C29CDBE,SHA256=BFD318E4FF417C8E56346A9F05528872D46AE3448DBCCB5FD168F94F79C23C6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453535Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:33.943{D694AEB8-B3EA-60E2-1100-00000000D301}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E95D6A9756F20280D1278BF1C65867DE,SHA256=5EBF88F9D051288470E4C20B77DC2337BE0B7242F2C010B6DD585E0002B3113C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453534Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:31.648{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60908-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x80000000000000001453533Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:28:33.375{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001453532Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:28:33.375{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x014c7782) 13241300x80000000000000001453531Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:28:33.375{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77199-0x44968ad9) 13241300x80000000000000001453530Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:28:33.375{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a1-0xa65af2d9) 13241300x80000000000000001453529Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:28:33.375{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771aa-0x081f5ad9) 13241300x80000000000000001453528Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:28:33.375{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001453527Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:28:33.375{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x014c7782) 13241300x80000000000000001453526Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:28:33.375{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77199-0x44968ad9) 13241300x80000000000000001453525Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:28:33.375{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d771a1-0xa65af2d9) 13241300x80000000000000001453524Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-SetValue2021-07-05 13:28:33.375{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d771aa-0x081f5ad9) 23542300x80000000000000001453523Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:33.044{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33E438829C6AD8F34AE5D1808E23DDE,SHA256=9665C3F0C1085F9928505453FD8757E480FD8EAC12C87F8EABA9912CA5E43829,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398195Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:31.378{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53914-false10.0.1.12-8089- 23542300x8000000000000000398210Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.754{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5848BAAA6B3C2CEA393373CEF8B4D4A1,SHA256=ECB1A6F79A80F67BD9A38E1DED3FD701C64B414750782990A8885D657C17EE75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453536Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:34.058{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABD94891ACD5BDD2881A0C39A121F43,SHA256=8B1FB141887AC0BD9A02E7E354A0028BB14B20A7277DA444ACA0607A00258B60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398209Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.629{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0902-60E3-840A-00000000D401}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398208Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.629{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398207Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.629{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398206Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.629{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398205Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.629{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398204Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.629{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398203Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.629{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398202Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.629{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398201Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.629{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398200Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.629{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398199Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.629{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0902-60E3-840A-00000000D401}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398198Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.629{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0902-60E3-840A-00000000D401}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398197Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.630{7F1C7D0B-0902-60E3-840A-00000000D401}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000398241Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.926{7F1C7D0B-0903-60E3-860A-00000000D401}2628948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000398240Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.770{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F035457676B0A38859D7C76982D803,SHA256=72CE6CAABCBDB70F8901114C9FFBD05503FA88032A63DD650D1C61C6CF0C009B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398239Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.770{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0903-60E3-860A-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398238Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398237Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398236Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398235Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398234Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398233Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398232Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398231Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398230Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.770{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398229Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.770{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0903-60E3-860A-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398228Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.770{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0903-60E3-860A-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398227Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.771{7F1C7D0B-0903-60E3-860A-00000000D401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453537Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:35.075{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260A86C47BFF977E18679127AF39ADEF,SHA256=C40D2CF377058CF196AA0987A678524939D2B8ABE0EA98B5A900D4B96BFD85BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398226Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.707{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B9474BA2656DCDAABA5A0C3D798CA49,SHA256=4D2E97B24DDD985E1A0DBE74C914ED2F7B396FCC86EDFD68231B28863B06915F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398225Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.707{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0D022B7A9C524BD05D30C3849CE1ADB,SHA256=1DD99F4949F9492FE814B1ABF3F2F9158C607FE56EF034AF5BBC4970AE906139,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398224Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:34.332{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53915-false10.0.1.12-8000- 10341000x8000000000000000398223Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.129{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0903-60E3-850A-00000000D401}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398222Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398221Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398220Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398219Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398218Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398217Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398216Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398215Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398214Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398213Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.129{7F1C7D0B-B3E3-60E2-0500-00000000D401}408536C:\Windows\system32\csrss.exe{7F1C7D0B-0903-60E3-850A-00000000D401}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398212Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.129{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0903-60E3-850A-00000000D401}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398211Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:35.130{7F1C7D0B-0903-60E3-850A-00000000D401}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000398243Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:36.770{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AEA021E9F884FD1FBAE9DE191842CD,SHA256=B819004BEA79A32C2EF1598F1EC35B5E1893325E7A2ACBED372E6E3C2244EEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398242Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:36.770{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B9474BA2656DCDAABA5A0C3D798CA49,SHA256=4D2E97B24DDD985E1A0DBE74C914ED2F7B396FCC86EDFD68231B28863B06915F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453538Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:36.094{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF584F8DD55763B5B73EBAB691C9F9CB,SHA256=B7C21AD7DF8F91604267953595EA40E3D88E8EE9B793E83A796E3FE084F45A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398244Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:37.770{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BA77C296958CA8E603ED91C80425A7,SHA256=1E74D7A60099C92439A5F055B7C6D8F0E239F3282282003A277CCA9D2B957745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453539Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:37.109{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9EFFFA03A9F7C95F43576DB7CF7605,SHA256=06350234B30ED60256B80D0F50FCBB894EAE1BE9C9B31AD81534EF5E74B7C195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398245Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:38.770{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86E74654A8839B42E862E8AA29ADC91,SHA256=B7F8C51A5337DE7C7589A73E653E4507891897CC0AF259E9A6702A31CF613CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453540Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:38.124{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266A7F9070D281855376FB0D6757EB1A,SHA256=9E18D6934F8C6792F973A1E5A8F3195070381F12B76D8D0D944E76BE061A57C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398273Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.801{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0907-60E3-880A-00000000D401}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398272Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398271Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398270Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398269Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398268Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398267Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398266Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398265Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398264Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.801{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398263Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.801{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0907-60E3-880A-00000000D401}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398262Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.801{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0907-60E3-880A-00000000D401}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398261Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.801{7F1C7D0B-0907-60E3-880A-00000000D401}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000398260Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.770{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AA922806A584C40835D8D4B24D9FC5,SHA256=FD9BA22DB95AC7CBD12F634D51A9FFF450DD09A443CCE0495957BBA8495043F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453541Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:39.138{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7EEE9A3ECF814601CB6752B52321F7C,SHA256=3BD26D8FB9DB35A5B1C3DAB8C4823ABA74B97C9D920FECD6F0533B188B488C75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398259Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.332{7F1C7D0B-0907-60E3-870A-00000000D401}32041064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398258Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.129{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0907-60E3-870A-00000000D401}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398257Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398256Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398255Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398254Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398253Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398252Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398251Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398250Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398249Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398248Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.129{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0907-60E3-870A-00000000D401}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398247Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.129{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0907-60E3-870A-00000000D401}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398246Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:39.130{7F1C7D0B-0907-60E3-870A-00000000D401}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000398289Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.816{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24583ACCE797F5952BCCAE6C70F2E187,SHA256=EC141FA5627B1DB72D6FCD9CE5EC29111D787988384BC8038C6044B23319672B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453543Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:37.641{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60909-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453542Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:40.171{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D442A805CCAA478A3033C7AE9C4BE86,SHA256=9E17E4EAE6E9E1AB7B5D01D09FFCE7E01DD2992FDF536FEAAAFF8D766EAAE487,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398288Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.457{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0908-60E3-890A-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398287Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.457{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398286Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.457{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398285Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.457{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398284Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.457{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398283Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.457{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398282Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.457{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398281Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.457{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398280Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.457{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398279Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.457{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398278Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.457{7F1C7D0B-B3E3-60E2-0500-00000000D401}408424C:\Windows\system32\csrss.exe{7F1C7D0B-0908-60E3-890A-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398277Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.457{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0908-60E3-890A-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398276Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.458{7F1C7D0B-0908-60E3-890A-00000000D401}1296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000398275Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.301{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B37239FD9DACFF6A626DB90063824CE,SHA256=6482ECF1C4DCD500A20707CD3B587CD9DA88A9C5107364401E603C39612C6378,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398274Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.004{7F1C7D0B-0907-60E3-880A-00000000D401}17923116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000398306Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:40.316{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53916-false10.0.1.12-8000- 23542300x8000000000000000398305Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.832{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F762841203EF9CF47E21623A581983E,SHA256=062C377105706D678DF3A47AAED75382D78FFD7B71355BD6C3BDA502EB774F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453544Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:41.189{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB32B00BE5B9500750C3EDC36815503,SHA256=65A24DAF946CD986653E88C31B56981BF8B2B14B03D2E25BC56A39A08C41A8F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398304Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.691{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=670ED5727DA517707AC98B6514A7390C,SHA256=C302D74907E809A595A0A496D34975248BE1A711805F460352256C2C790C08E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000398303Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.348{7F1C7D0B-0909-60E3-8A0A-00000000D401}38963852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398302Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.129{7F1C7D0B-B3E6-60E2-2B00-00000000D401}28442864C:\Windows\system32\conhost.exe{7F1C7D0B-0909-60E3-8A0A-00000000D401}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398301Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398300Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398299Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398298Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.129{7F1C7D0B-B3E3-60E2-0500-00000000D401}4081320C:\Windows\system32\csrss.exe{7F1C7D0B-0909-60E3-8A0A-00000000D401}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000398297Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398296Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398295Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398294Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398293Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.129{7F1C7D0B-B3E5-60E2-2100-00000000D401}20123788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7F1C7D0B-0909-60E3-8A0A-00000000D401}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398292Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398291Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.129{7F1C7D0B-B3E4-60E2-0C00-00000000D401}7523368C:\Windows\system32\svchost.exe{7F1C7D0B-B3E5-60E2-2300-00000000D401}1604C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000398290Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:41.130{7F1C7D0B-0909-60E3-8A0A-00000000D401}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7F1C7D0B-B3E3-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7F1C7D0B-B3E5-60E2-2100-00000000D401}2012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000398307Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:42.848{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA0DE23593EC085801D85ADC770DE73,SHA256=9D7535C40C4F74CA13E07C65B8B74639BC9E6EB287451D1DA4E32C7BA11FB45A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453545Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:42.219{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4D2666860DC3539118FDEDD42780C6,SHA256=1C660339201A4DD3AD6B07CFAE85AC5EF8AA59E95F8158A493E0BF57D4DBC811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398308Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:43.848{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B90A51456251D6542698A04409EC0F,SHA256=51B96632DCD5CABDD49C0FD1C0AE067AA9CC747AF835EA10B886D3BAD1349939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453546Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:43.235{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF0F0AEE064C05820FEFCC2427F2F0A,SHA256=716FB08336EC3E7A1794D9FD3F635827FE2917EA82CFF52229310B8FDD475CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398309Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:44.848{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A4FBE0237262799916492C7BE9F870,SHA256=2025D332FC79B547E36915B9C1D1E8F3B67F38C1A2A692B6C77261CFE0BD3C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453547Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:44.267{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DD03B7EE66C9007879099E59C249EE,SHA256=9B10D587D75EDCC97F90BF37237D9825A9D3E5D13E3FE4698DEDD6CB2E8021D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398310Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:45.848{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6BCDED825B46A8AB558C44187293C49,SHA256=8310AFD54D67D0C8F0896D09EE1D6CA1DF1A2B8190290C8A8F31C06F2F110B51,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453549Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:43.652{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60910-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453548Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:45.286{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDB4BED4A9FD0B3FBFC9A2CD6DF329C,SHA256=E21715D03EE209030F28F5DF7C8202309C64946598020A952FA0D2DEC370F979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398311Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:46.848{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451F6E8D96962DD57A8ABCE751AD1531,SHA256=D5C78A115C3A120249D611AEF7D865DC5570611423EC3BEAF95C17E5591AC531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453550Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:46.301{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EA8D9BE41CF72553CD60F66A48FAF4,SHA256=CA83294D5D7332BAEE6E7022771D79204E5F2ABCCB492767528A660DC88F154A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398313Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:46.284{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53917-false10.0.1.12-8000- 23542300x8000000000000000398312Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:47.863{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E90C685FB066F554D68DD0CEB5E8E9,SHA256=DE3381E4F343D92530556DFD97C15E8741141DD64DC6422303AFFD6CFFB223EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453551Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:47.315{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6343AB8D37EE0F0E74D099214CB78F,SHA256=360093910F4C73642E41BCFF34482E86B9A079C4B3F1C93EB2C10AD3D67054DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398314Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:48.895{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46F3FF9E4955499501705AC0510F3D2C,SHA256=706129DB52B63CE6E0BA1AF69884FF5960E58690F154E6C588B8499F83DF7A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453552Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:48.329{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADCFB7EA6A7EA71CD99648A71FCD3FB,SHA256=EC38B203DF23A6E977F223F5E87F7A3D3346BE54759AA0BB37DD10CE8A5767F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398315Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:49.895{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A8035653B5423E1F292A1B401FDBC6,SHA256=51AD6D1FE8C8027C74528EE965243A8084BDF20D61744079063008680889DD5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453553Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:49.344{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B40CF4598014F3229673FD81B4DA956,SHA256=7996B613FF8B4A7DA00725E22FEE0E9828BABE1228C8FCCC25D1A78A16800CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398316Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:50.910{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75EAF1728A8455B431F574B46BD11C38,SHA256=61185DF2659786E62E5A8E793D8FF5862A95B635DFA74ACD82EE075D1456973E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453554Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:50.360{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4EBEF230417AD8225FF3419736A3A07,SHA256=54BF8BA255D61D66AF82D994EA983F6ADCB4DC3E02F5648A8019C31D8977D18E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398317Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:51.910{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C536C8CB04D906D503D52B8241D1D0,SHA256=DD366262B68880FC00908A87241C7917E95FC8B68D810CCF10FC9274760D5CA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453556Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:49.660{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60911-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453555Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:51.378{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BC2CD3D7C186B22B5C66E0ACAB1C13,SHA256=A6452D81D9F5F210E1B8679BD3526468E329FA62D9AAE893C59AB4E3E5D7C378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398318Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:52.910{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934377C04AF2C775B93CF77A72A2D174,SHA256=61E93099D7E9BF13039F83B290FC3BADD71FFDCBA50B9E11820EB81E7EF11053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453557Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:52.393{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE4D5CC1E75A7C124FFE03116E9B091,SHA256=A9184002EA693FE530D37547B49294060149047658BAB8491B8DD883C0B62887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398320Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:53.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8149F427141197D625929A135AD730BD,SHA256=FA8EDB8B8CFE7E544F899F1AAE702C42DD0CC1ABAD7DBA0B6FB9D9B6CC3BC3AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453558Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:53.408{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D2F8D7269A29F32CDB8CD3BE228EC9,SHA256=33CE9C8BCD2168370CF23B4B41129C936637C036F459F025812FECFB97406B78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398319Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:52.284{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53918-false10.0.1.12-8000- 23542300x8000000000000000398321Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:54.973{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892A59B1616F895E4FEC3A31332F54FE,SHA256=7FDD4239C5CE514EC6FE5DD14CB5EA8DA0C4C90A274BC329564C3204F85B8729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453565Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:54.606{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=17F33D78EFB349A7B74F958D8F135687,SHA256=A894FD518C51B10E01EAC93070520246E88DC5055B66918FF67BB1AF9CE8BFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453564Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:54.606{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=F8B93B0A2871FA0147CF46DEB90A1C32,SHA256=66EB6018CA95B685C2D077EC5C3A578B6659D01AC56BF3B5B09B339263C15F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453563Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:54.606{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=3725BE4A6FED06EC4CF3A996CC0C6884,SHA256=08337BD90F1F91441175323A0E8D5514163FEA40182642AB7CDAEABE602ED3DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453562Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:54.606{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=3EF02C38A652BCDB0B493044A0432F72,SHA256=0C641D280C6B3986C62B22387C0462A45AB8709E9E6C40DC5AF0219951B9FFFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453561Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:54.606{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=66455F0C90496A606C6D98B4FC87BFD3,SHA256=27FD9798C4B02532C03DC09FE5F0E378C54122D69F23E714C8EE0FDB458A873A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453560Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:54.606{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=1B21043DC0ADCC826F39BE89300DDD61,SHA256=73B33EE0BA7DDEA5FFF6BE7B88699EDB52F59FECD51BA05B4B20F508221A7A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453559Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:54.422{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBDD7A54539400C52ACC5EB9934F921,SHA256=CB077371C32DDCFB96F5438E27601BDEF06F1C4BA377571C03865D7F3D48A831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453566Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:55.456{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F7ED70DDF3CB0B0D80E477E6A8E7B3,SHA256=624D3BB06BE78998540F1C37DD4F456961AE3D198E16DABBF437F3D719C492E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453568Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:54.670{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60912-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453567Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:56.473{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404ABE7AAC2AF8EBD5F58B70D3DBDC97,SHA256=957AB31FAC44C4798FAD96D8DC6690231DDE794DEA59985BCC25E6F8CCB33CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398322Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:56.004{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8F9C3BE4E7B7A8943F232B1208E2C0,SHA256=90108F14756AC11B41D90C1055C2A1F73177D9B4CC0698AB507BF7C67D1543E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453569Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:57.487{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B792F1F7CC5DE11AB9D39F0AD612B229,SHA256=27A9EF822C9992727986318E36628D64A03C09F559FDCFC86A84487CF90AA088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398323Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:57.160{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E0C5E4FB133D8267A38DCEDE9DBAE6,SHA256=F4900D18474183B141E67A7679FF10BA23C71086ACB84ECF20DF5189DA3DCBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398324Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:58.285{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8419F9BDACC6EE9F07E6D8BD5F3D2394,SHA256=B313E0653090A57BF3F733BCA7B261CC0CF2D351E361D5D73A5ABF119E0913C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453570Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:58.502{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1216475B04199CB24D109BC950CE73,SHA256=EE0042D6A5EDF1B60A0382A3667B78333251E67E623CCDAD12F6264D7B3FA873,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398326Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:58.316{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53919-false10.0.1.12-8000- 23542300x8000000000000000398325Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:28:59.332{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C6B15D9C31C48D4AE5E9CA2E65281C,SHA256=5B24B95FA35999EB86D3F1EC25CD6AE837A93C420825ABC3D86DAE1DE7FA0565,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453593Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.913{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-091B-60E3-1D0B-00000000D301}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453592Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.909{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453591Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.909{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453590Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.909{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453589Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.909{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453588Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.909{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-091B-60E3-1D0B-00000000D301}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453587Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.908{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-091B-60E3-1D0B-00000000D301}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453586Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.618{D694AEB8-091B-60E3-1D0B-00000000D301}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453585Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.616{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=DFCD9CCA395AD1DEC9AEAE5DAFC04601,SHA256=A767F786CBEBDF7781FACA002247410DE3A2BDC223F05DAEB1200E86F1DE34C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453584Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.616{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=0F8438C30AE3E446B799D6D9235D5829,SHA256=B84058B39E033806C204A4D301ECBBE47ABE9DFDD781491B9C7EAC6E83D43A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453583Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.616{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=F3E130B52B71C7A753866B5D6C61584A,SHA256=F889C5D1422D60B072EC101C874EA80773C369C5B1A57A0614A725C2B4A3758B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453582Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.616{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=B8DA97A909D06409E2D9089314D677CE,SHA256=0AECFAF1C59D3FDAEDA6087A762478B81C257F77750FEF63EC039E003F314561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453581Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.616{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=BA806930FA39C939B172E5B0DEC9628B,SHA256=0E7E5DCB6FE6D1435935279219E748CBB0BD56751BAF3EEBFDF5C706CACE49D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453580Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.616{D694AEB8-F83C-60E2-EF08-00000000D301}6572ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yzehmadb.default-release\datareporting\glean\db\data.safe.binMD5=0B7B33C1F82DC6FDF4AD895B53F10DF5,SHA256=2EA1EDB8E34D4BA2D79E69729272D48E07AA83E3EAFDBD1006D7BC2335008773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453579Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.517{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C24DC8A0B589D9F8F32D39184B25B0,SHA256=A1427571776FE8791EC464A3E80C71DA9A7E0200B545BB552D92FDB5A557862B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453578Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.001{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-091B-60E3-1C0B-00000000D301}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453577Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.001{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453576Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.001{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453575Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.001{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453574Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.001{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453573Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.001{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-091B-60E3-1C0B-00000000D301}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453572Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.001{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-091B-60E3-1C0B-00000000D301}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453571Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:28:59.002{D694AEB8-091B-60E3-1C0B-00000000D301}5448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453605Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:00.524{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701053F870D3FB0FFFF6C1750CA3F786,SHA256=0DB03A5FF017F123E19E6225AD946F72445C76C3513E3A2B5417E8E8EF8E3C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398327Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:29:00.457{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFBD74CAE99C8540BDC7EFC1469A16C,SHA256=EFA5E8AE419C67EFC8F8E0230096E116AE3B97E9E4AAEF35534617FA6CB04882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453604Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:00.487{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-091C-60E3-1E0B-00000000D301}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453603Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:00.487{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453602Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:00.487{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453601Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:00.487{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453600Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:00.487{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453599Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:00.487{D694AEB8-B3E7-60E2-0500-00000000D301}4123364C:\Windows\system32\csrss.exe{D694AEB8-091C-60E3-1E0B-00000000D301}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453598Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:00.487{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-091C-60E3-1E0B-00000000D301}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453597Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:00.488{D694AEB8-091C-60E3-1E0B-00000000D301}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001453596Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:00.124{D694AEB8-091B-60E3-1D0B-00000000D301}50885316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001453595Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:00.055{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20BA27CEFB68EF6A3FA2A2B73D798F8C,SHA256=DA47D54F74EE7D02B1F25EFFBE2CC4A15C1EDEAA2C5C129BBD9C7DD150083328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453594Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:00.055{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CEEAAF8D1CF38F0FF1988767EA9CF74,SHA256=892BB018849A0DD5542CAF2E10B5941E43B1ABE6AE6F54F0278096F21D3DC503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453607Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:01.586{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20BA27CEFB68EF6A3FA2A2B73D798F8C,SHA256=DA47D54F74EE7D02B1F25EFFBE2CC4A15C1EDEAA2C5C129BBD9C7DD150083328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001453606Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:01.586{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5520E45046C80D3FF1B786EC00EF3A,SHA256=EC915A1715021913C7A05817DA927B4D2E0F70EC555642EEA629DC793E773A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398328Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:29:01.457{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2DC9EF54AEC01043A6DFD37D0F1748,SHA256=5C32B7D9EAE4FE46E2E246AC0C98B71F7A9B29BD11D5FA357B1A488B4602250B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453616Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:02.984{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-091E-60E3-1F0B-00000000D301}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453615Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:02.984{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453614Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:02.984{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453613Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:02.984{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453612Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:02.984{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453611Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:02.984{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-091E-60E3-1F0B-00000000D301}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453610Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:02.984{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-091E-60E3-1F0B-00000000D301}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453609Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:02.985{D694AEB8-091E-60E3-1F0B-00000000D301}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453608Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:02.600{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE492253AE59971965EA87E164D3F467,SHA256=543D11B2D77447E04BFFF3FB3E56C211838C0A05928DA3E0EF425BD1EE643C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398329Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:29:02.473{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB551EA4435D5DEDC19791398B792357,SHA256=A2B2EE3833ACD23486EEF11CECE2C734865838DBBFAD28701095DF31DD57D28D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453628Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.820{D694AEB8-091F-60E3-200B-00000000D301}9886008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453627Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.668{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-091F-60E3-200B-00000000D301}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453626Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.668{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453625Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.668{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453624Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.668{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453623Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.668{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453622Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.668{D694AEB8-B3E7-60E2-0500-00000000D301}412428C:\Windows\system32\csrss.exe{D694AEB8-091F-60E3-200B-00000000D301}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453621Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.668{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-091F-60E3-200B-00000000D301}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453620Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.668{D694AEB8-091F-60E3-200B-00000000D301}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453619Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.620{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75D3F8E9FC40E9B219046784755E008,SHA256=FEF2EB38D2007DA511D8FB58702D96F0C40DC0DA42A3E8142DED504666635229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398330Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:29:03.473{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF495F738F9B7348EEE6963C63D24DD,SHA256=83C88591166BE426258A23EFC09D40B6D6CD4DB5F3B9E679A3CDA3364BE25068,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453618Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.137{D694AEB8-091E-60E3-1F0B-00000000D301}6024472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001453617Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:00.451{D694AEB8-B406-60E2-6A00-00000000D301}3116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-201.attackrange.local60913-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001453638Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:04.667{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896B5D2303292E6FF1C49E68B75D98A5,SHA256=D6B07A9CD0D239A576ECA2439823784D55E6FF632FF83C48D8120CC6DFDA450F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398331Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:29:04.504{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AE6BCB0EC834F7AB39B1029CA31CDD,SHA256=95C9E4EEA18AA0965A18E3CEBC066057880B1D8C6BF23C14EB2A524499D87C21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001453637Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:04.351{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0920-60E3-210B-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453636Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:04.351{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453635Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:04.351{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453634Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:04.351{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453633Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:04.351{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453632Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:04.351{D694AEB8-B3E7-60E2-0500-00000000D301}412552C:\Windows\system32\csrss.exe{D694AEB8-0920-60E3-210B-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453631Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:04.351{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0920-60E3-210B-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453630Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:04.352{D694AEB8-0920-60E3-210B-00000000D301}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001453629Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.999{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D46066A4B459276732667E4CA24EEC8,SHA256=AFF4916CE26F9828EBD0FF3C3A6D8ED0451964A7C03F849E4D1FD5987D878E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000398333Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:29:05.520{7F1C7D0B-B3F8-60E2-6B00-00000000D401}3092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67BE52C66B20DB8836AFFED0389C9D8E,SHA256=DEE8709C7AFF0C84413612B1DCC90D768ADD34CE9755CEBA09BD113298A93642,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000398332Microsoft-Windows-Sysmon/Operationalwin-host-884-2021-07-05 13:29:04.286{7F1C7D0B-B3F0-60E2-6200-00000000D401}3000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-884.eu-central-1.compute.internal53920-false10.0.1.12-8000- 23542300x80000000000000001453650Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:05.466{D694AEB8-B40E-60E2-7300-00000000D301}3936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB5D386B6C29E5BEF91076ACAB196A91,SHA256=78D6C12F72A18F89CB9E60D2B2052A4B10DF0730CE582ECDB6D8BDA3A15CCA4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001453649Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.348{D694AEB8-B3E8-60E2-0B00-00000000D301}656C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60914-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 354300x80000000000000001453648Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:03.348{D694AEB8-B3FA-60E2-2400-00000000D301}2788C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-201.attackrange.local60914-true0:0:0:0:0:0:0:1win-dc-201.attackrange.local389ldap 10341000x80000000000000001453647Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:05.167{D694AEB8-0921-60E3-220B-00000000D301}17047100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453646Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:05.018{D694AEB8-B3FB-60E2-3200-00000000D301}31323152C:\Windows\system32\conhost.exe{D694AEB8-0921-60E3-220B-00000000D301}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453645Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:05.017{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453644Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:05.017{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453643Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:05.016{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453642Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:05.016{D694AEB8-B3EA-60E2-0C00-00000000D301}8602264C:\Windows\system32\svchost.exe{D694AEB8-B3FA-60E2-2C00-00000000D301}3004C:\Windows\Sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453641Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:05.016{D694AEB8-B3E7-60E2-0500-00000000D301}4122856C:\Windows\system32\csrss.exe{D694AEB8-0921-60E3-220B-00000000D301}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001453640Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:05.016{D694AEB8-B3FA-60E2-2A00-00000000D301}29484004C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D694AEB8-0921-60E3-220B-00000000D301}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001453639Microsoft-Windows-Sysmon/Operationalwin-dc-201.attackrange.local-2021-07-05 13:29:05.015{D694AEB8-0921-60E3-220B-00000000D301}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D694AEB8-B3E8-60E2-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D694AEB8-B3FA-60E2-2A00-00000000D301}2948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service