23542300x8000000000000000892851Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:11.556{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F650C9F1231F70BE8791CEFA2B436F1,SHA256=0E66919EE7C766D1AB107F9D0391EA054180AD0B8FA72E2476D6822BBE8D0010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030473Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:11.316{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A87B21BA9B2165A256C86C33D09A4AC,SHA256=AA996B53E6B4AC2D2977DD75501EDA5121BCE31FF112727286F350006533A996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892852Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:12.556{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36093BF94CA9AF28262C78079A3AA20A,SHA256=35A740A1B187C253CFFDAE4ACDDB3D5A9C6B47C5E39666CA99305F00A2C01933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030474Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:12.332{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CB5F49BC71FC0EA6F7EB455BFD4451,SHA256=7A9D23EE6C9FDAFD48CAF55F7A16A48DED8CBAC6860BB8D7B57275ABCE2187C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892857Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:04.241{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52672-false10.0.1.12-8000- 354300x8000000000000000892856Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:04.051{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net61457-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000892855Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:13.853{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12007F9F11F24663F63941F76ED4F9EE,SHA256=B09361B193DC0961B849978F4DB25C6E1099918EF0D082801E4888A71E1F2436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892854Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:13.853{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A19A29D38D91FBA8CB741F7B2D286257,SHA256=C62114B8F473365FCBBB25DE1C0017BD287DD715EB792C3B120225371AD8E94B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892853Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:13.572{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6838A717E8EFD197F4096E56C5F43D1,SHA256=00A5A9CCB0081EEF2D98E9E069415255F8F2CFB6E81CAA96F9C5267C2DD9ED87,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030476Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:13.220{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57566-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030475Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:13.332{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19E54436C7A4C236F8AB8D315B3E4B5,SHA256=5DC6F54FC1A25F788B806C2FF6AFE93160C3F20D78727E64ACF4A553EF9DAADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892858Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:14.588{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5CCC22269D4BD450901CC630586E37,SHA256=B78DEE6DFDD03FD192212976D29F96E5D28498A486C8E58CAAFBEC4DFBA050BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030477Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:14.347{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644573C924FDD3435A548D5D3E813490,SHA256=57B57DB51D3B0F2DC1735B8518CD1F420EC452AB3F0E1B6355AEB8F7D17BAAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892859Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:15.603{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B632D0AEDC03A5A0552E40E5E63655BF,SHA256=8CC945AF67543FCF1DE39CBDFC2BF4CA8DD35B1DCB3E96A1A7567B39860A00C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030478Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:15.347{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FE623CD6D13DA881A03898630E828B,SHA256=4977AD9FE539F32D871A2F21AE198BD56F5FDC5E143DC75C00F10EF0CB7CFBF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892860Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:16.619{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97AD23AF0C849CC5CC66FEBEB30C069,SHA256=1ADFFF03CDBC6A58D6A0B830E9EB109B034ADA146F1203A0A3329D29C4AD6D3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030480Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:16.390{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-33316-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001030479Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:16.347{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99E3222DE8F13D5B337CD33DAE2F28A,SHA256=9EF6B8F27871136D6637F8679202881C8F9E4657BBD9F852020A039A8FA08458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892861Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:17.634{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456BFE68CAFBB0CD14BC1578023EB9C2,SHA256=141B8B8F743D2BB2CFB3B98624D9F88964BE8121A80702F36231723BF1909F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030484Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:17.910{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=989A3679B7EC84513824E22F9DE04751,SHA256=F6D5E79EE8B52E13BB8EEA595DEFC43A1313BF3C205BAC9FC60EED40FFE03EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030483Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:17.613{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE1E1F9310CC8138027E09278ED16DA,SHA256=443C2A0DBE0C625BE7C12DA04A3D9ADB0B22979F066989355A8225A3BDC98A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030482Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:17.613{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8DE7694960DDB5E6B5CDAC8C8AB3191,SHA256=88DB5590A38E74C1C635D7D5427D4F4B20A264A22745D892CFFDF0D1D7CB3C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030481Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:17.347{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723001448A21FC7CBC691510E4F96F7F,SHA256=E9F2C87C24800CA7BF4C2C606AE24CDC19FAF58ED3B3B388A13E86B85A09BBD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892862Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:18.634{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00405EA3CA23D75CF889786809A0B34A,SHA256=5BEF4D93655509E853235172282B15DB9C8FA5DAFDD29A748A738E078883E9A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030486Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:18.329{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57567-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030485Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:18.363{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8DF0C02E89FBC9421346C0E84781A4,SHA256=B37DD6A99EEEB2D3B9573B3547F5ED27271E7B5CFF239D55161C5B93AA95C924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892866Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:19.666{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=868E3104F2196962B72C334D7FE25EF2,SHA256=5F4455E54C665CEE788E73B59BF48636F1C06E50E1858855846DA4976F4EE3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892865Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:19.666{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12007F9F11F24663F63941F76ED4F9EE,SHA256=B09361B193DC0961B849978F4DB25C6E1099918EF0D082801E4888A71E1F2436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892864Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:19.650{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D819B25395492792EEF874AF3CBBE4,SHA256=E950AF9F7BFE5F8341C6CE78967C9195F0D084C1DA8A0E69F70B6CC7B58C673F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030487Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:19.363{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2052FD2E686CA2F082883BCAA613EBB5,SHA256=E63BE9B910006A0E949A9267019C965A159B66AB390EC95465EFEC0ABD95FC05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892863Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:08.927{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.7-45839-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000892868Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:20.666{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C606A6E8DBAE403F912620A947FE233,SHA256=A1AA69A066B1C3D4B03495C489D74450B829F849C9A1B5BE191C0F0A3519EFC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030488Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:20.363{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B7BE732A0CB32D7889FB6F24A6ADF2,SHA256=3B0F018741BEA54A40A8453BD59BD0DB0E6A5E541B611E7E8A7DE17A7EE3E8DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892867Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:10.208{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52673-false10.0.1.12-8000- 23542300x8000000000000000892869Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:21.681{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51138F913C0C4036B834712B8694FBD2,SHA256=A12BE7305AAC1E62B16CDAB54D2EBF99516EA0D1B5553A261D8D0B5FA2E7E066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030489Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:21.378{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1B5D017BE91CDF9E25A501DC127CD7,SHA256=BCD7A621E0EA2F7794EE419D37160D18FBBA22AE7D64747A490D8D82E2B65656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892870Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:22.916{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21390E3FD1F42C16CA83A76E9D2839CD,SHA256=28C86DF131D52375D549390C330FBCB351471F1ADE9C3B5CE84DA975D3782AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030490Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:22.380{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15394ECCA2D497DD00DBDC6D31B97C0E,SHA256=8553AE05E597E73A006C02EA43C84026AAACA8CCA019B3BF45FDD17237551BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030491Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:23.382{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB341071EA47553258307A1046BD42F,SHA256=EC0DD25D5A9DBF235E704DC8871A202B231EA7143F79AFE5597202A58668E538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030492Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:24.385{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4101951834BB31E81594C690F4629BDC,SHA256=80DA94BDD5D18A8142F042C36DF95BDC047D3831103FB38E46DAC41AB9CC4DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892871Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:24.088{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FC7461546AB8B7191E7E918334ACE1,SHA256=B4680D8B857B5E38575C7041E28BD23C4B25AA65563CB01E29FB099573E8F2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030495Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:25.385{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1DFFB9C785460EC9BA0BED5C130BFF,SHA256=61160C80501D44E90285D2DAD65AA4085C62C88CD82F6D6E94FAD1066A5B088E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892873Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:15.582{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:1cf1:2a09:f5ff:fef0win-host-702546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000892872Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:25.103{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D043A48A0A5B4C9CBA753165FC19DC,SHA256=2F2F37A6785FA967250943E4547E0306686CBE4191B15C9D2EDB5BA2B627DEA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030494Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:24.177{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57568-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030493Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:25.229{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030496Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:26.385{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3254D6AB1599FE720ED97BBA942D3369,SHA256=C44684D875E68A66B83350A5956273B2FD4E8F6C0CE798CE7E388993517C32EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892875Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:16.114{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52674-false10.0.1.12-8000- 23542300x8000000000000000892874Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:26.119{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC1B5F595758B7EBADA45650EDCAA48,SHA256=F89293B0E0089EF91840606C79097D03DEF9FC8499924165B122CDEAA8D724DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030498Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:27.385{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF881D856C525919DEBA6DE851B2E67,SHA256=107B8CBA5689B9B938BF187C1717F135330C0B57B3038CB5249EBA8196E83D08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892889Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.963{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73CF-60FE-FD78-00000000E701}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892888Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892887Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892886Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892885Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892884Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892883Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892882Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892881Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892880Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892879Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-73CF-60FE-FD78-00000000E701}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892878Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73CF-60FE-FD78-00000000E701}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892877Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.948{D94AFF6C-73CF-60FE-FD78-00000000E701}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000892876Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.135{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B613BFB0C437DCC6133C1E54F98BDAAF,SHA256=23A356E0132BBA848663CA4952CF5A9E77C50126C98C32DEE2C96865469068BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030497Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:26.352{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57569-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001030499Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:28.401{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59FD17635A1B93D1670888E43A90202,SHA256=4ECC4197FC685A30BB8405E7B7B4652D015238D3AB160BABBD0B190EAE14E116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892906Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.963{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=094ADA860C58B78740B9003778F9F383,SHA256=E2CE59B3718F36338078F99F29355D3E291816BC61A8FD1A2873B595FCA2E672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892905Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.963{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=868E3104F2196962B72C334D7FE25EF2,SHA256=5F4455E54C665CEE788E73B59BF48636F1C06E50E1858855846DA4976F4EE3E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892904Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.634{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73D0-60FE-FE78-00000000E701}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892903Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892902Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892901Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892900Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892899Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892898Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892897Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892896Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892895Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892894Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-73D0-60FE-FE78-00000000E701}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892893Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73D0-60FE-FE78-00000000E701}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892892Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-73D0-60FE-FE78-00000000E701}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000892891Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.181{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ADA4C86DE5C2A718889A3BAC4B5D7A,SHA256=3D98FB0F7E9EB5EB43F73E4EAEDF00B0546251E31487705AF9D825EE0148F15E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892890Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.072{D94AFF6C-73CF-60FE-FD78-00000000E701}31363496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001030500Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:29.417{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB2047E2CFCF23EBC7321C4BAB2CFF5,SHA256=3B4A2964710AD67BB213B64ABAC7C2F4A70B182F9B90C202201EED97887D5980,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892933Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.978{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73D1-60FE-0079-00000000E701}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892932Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892931Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892930Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892929Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892928Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892927Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892926Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892925Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892924Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892923Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-73D1-60FE-0079-00000000E701}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892922Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73D1-60FE-0079-00000000E701}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892921Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-73D1-60FE-0079-00000000E701}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000892920Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.447{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154E855FB1EE24836B2D99400E50F943,SHA256=75ABD41CFCA420FFB6D23E45D23C2092EC29E410E5D644DFA60C9D50899FCE9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892919Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.306{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73D1-60FE-FF78-00000000E701}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892918Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.306{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892917Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.306{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892916Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892915Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892914Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892913Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892912Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892911Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892910Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892909Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-73D1-60FE-FF78-00000000E701}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892908Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73D1-60FE-FF78-00000000E701}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892907Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-73D1-60FE-FF78-00000000E701}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030502Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:30.417{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4AAFE45CA537DBCDDDB8F39F85B220,SHA256=3100923FBEB8D8578683DAB9BC6466A964E8E9F208E2476339E41E4D921AB729,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892936Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:21.223{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52675-false10.0.1.12-8000- 23542300x8000000000000000892935Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:30.541{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF62F8FB954F7B491E263CD26072BCC,SHA256=A7EAD608A4FDAF899EFACB402422C6F51F5B7A61F79061689A665D49134EFEE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030501Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:29.274{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57570-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000892934Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:30.338{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=094ADA860C58B78740B9003778F9F383,SHA256=E2CE59B3718F36338078F99F29355D3E291816BC61A8FD1A2873B595FCA2E672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892937Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:31.556{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B22CD47A04F0EA07177A2BCB528860D,SHA256=405F822F14B8503F3A6AD316F85E3EC68871FFAFFB790476FB2F440E86466DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030503Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:31.651{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA609DFAFC65CEC9B4843256ED3D08BA,SHA256=07D91F7384D17D1A706D81E079492B760E7DF06DF3388C2B07EAF6C4ABCB6B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892938Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:32.791{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266526679060FEE9A81526B78A5E7A9C,SHA256=46239B0526717C69FAAA4D95C329509FED287CA8CFD89DB7AA9C8E362EEC7E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030504Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:32.651{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB23E9F1B52B8128A01C15A231B03DC,SHA256=7F1B13B1A17B577D7B37221A5430A11EF19280B4FBD1A3925AB123ABA5461575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892939Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:33.853{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0882CD562BA3DA3BF24FF6B05A23EEAF,SHA256=22ACAE60460E3D7E51647E6F6FDC1CC848ED97AE16CF7EF5434D44320BC0934A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030505Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:33.667{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDCB45970EA7851781ECDEB2D9B425B,SHA256=C5144B623042282FC0847D3183B7AD6FA1F9393F41EA0358CC79F3CE9966A0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892940Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:34.869{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1107C901CA1FF43820CF9ECC3038A520,SHA256=D9B1224E17716604754A6B835E2FFCCD3981DB2668790219EF53E6692A901339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030507Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:34.885{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAE1726E3C1CE9C373F4258AFF514C3,SHA256=DE554FC8D32A66459CFA208345A866626D4B475B7C116A3B48ED98F94811B155,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030506Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:34.352{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57571-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030508Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:35.885{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21388E84B0E7A729DB9CCB5D0DC3466A,SHA256=169445B53E3D17C387D403E83DDCAB1D0DB81E9EDA3F788304D149E7DB200F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892955Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.884{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5304DBAD31AA721CCBB3833A09ABBB,SHA256=A414914AC77743E8F1CB64901105CF35E45B727DCB09B0CA7675D30DB3F839CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892954Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.713{D94AFF6C-73D7-60FE-0179-00000000E701}29883032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892953Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.588{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73D7-60FE-0179-00000000E701}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892952Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892951Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892950Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892949Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892948Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892947Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892946Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892945Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892944Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892943Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-73D7-60FE-0179-00000000E701}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892942Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73D7-60FE-0179-00000000E701}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892941Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.573{D94AFF6C-73D7-60FE-0179-00000000E701}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030509Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:36.932{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAFCD43502E323349CCBC767EBE12BF,SHA256=EDC8FCB4A4669AE284E795C1EB8B350AF4E63A89650477E1D4873C6742B10AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892958Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:36.885{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEF656A11F7E0A4AD00BA70E58EDF82,SHA256=8672076339058820E36F8446EE32C22DD14CE2034F5A2EB9FB162B9CB1D8B7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892957Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:36.588{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD66CA5F5B77050678D1CD24B0BA5592,SHA256=DCEAB7EA34B43A7C22C4238ACBD56F9C49207FCF5B0638C7EBFD1F7E4EDAE6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892956Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:36.588{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=974460A0E028FE1B9C06A8ED1057058D,SHA256=F5F2CCD948728962AB80DED9ADCD8E012E297427A3B3B0B35901B9361A1C48B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030510Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:37.963{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE48B87FF65ED23DBED0A7102FE3CC3,SHA256=33BA22340E1C962C87B2C11982543ADE0C218C96A0EC07ED592002806724BAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892960Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:37.900{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B1E04AC1F81872C8AF2007C12705B7,SHA256=882AEDDC13B22DDA8CA9ED85097C311AC8C959890FC5B89B0B62C91595B5BCF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892959Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.098{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52676-false10.0.1.12-8000- 23542300x8000000000000000892961Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:38.916{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA0B798058D8F1208B793981705195A,SHA256=6ADBE20F91D127314123BF57D38B4734E5D42E24218C5D818A32395CDF961E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892976Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.931{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511BF7853820A728C57C0175A4652387,SHA256=243E466CAB38842C81291B2048C713B70081F9D5FEE46F18BBD7BBCF01BC0ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030511Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:39.026{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A08A1DE5FEFB1B374DE7DA7402F2FBB,SHA256=1158889BC4DB978C92C249E00D5DD2AF6B11FBE547AE8D6A7A67A3895E6AA530,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892975Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.619{D94AFF6C-73DB-60FE-0279-00000000E701}22841536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892974Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.494{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73DB-60FE-0279-00000000E701}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892973Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892972Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892971Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892970Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892969Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892968Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892967Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892966Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892965Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892964Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-73DB-60FE-0279-00000000E701}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892963Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73DB-60FE-0279-00000000E701}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892962Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.479{D94AFF6C-73DB-60FE-0279-00000000E701}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000892992Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.931{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9711E95F2FA6250DB81621C3FC313FF2,SHA256=500C59FB476C0D3E3F429C615F763F7948AA847EDDE687F79250B5DC1A6FBEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030512Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:40.260{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15BD39F766A4534D52F082A8223D214,SHA256=39D2CB28D70205958CDE290E1984192CD6AD62629DAFA3FD1CF801186B38C797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892991Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.510{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD66CA5F5B77050678D1CD24B0BA5592,SHA256=DCEAB7EA34B43A7C22C4238ACBD56F9C49207FCF5B0638C7EBFD1F7E4EDAE6BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892990Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.275{D94AFF6C-73DC-60FE-0379-00000000E701}32043704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892989Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.166{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73DC-60FE-0379-00000000E701}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892988Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892987Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892986Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892985Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892984Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892983Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892982Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892981Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892980Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892979Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-73DC-60FE-0379-00000000E701}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892978Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73DC-60FE-0379-00000000E701}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892977Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.151{D94AFF6C-73DC-60FE-0379-00000000E701}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000892993Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:41.947{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B7D78F268BE87174977B62F0803CB3,SHA256=CDF5B9C7E287B89D893690266C550CA858CA707D898505AA75995ACAE63F9A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030514Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:41.277{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F61940CA87C1A13FD74BD641C4B484,SHA256=452CA37A46E71BD0F84373FDF8FAEA1581BE31C59F9E9CDCCF52CE835B89A082,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030513Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:40.211{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57572-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000892995Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:42.963{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60F7487E88F06FFEC04282F8785C601,SHA256=63A89DC0A55F7B6F9E73CD1787C0B72FBDDCAD7E9D53EBF6DC897065CAE20D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030515Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:42.292{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EED7BB30AC95E83C1007AFD7A651CE4,SHA256=D3AF81212251590756AF442A32DF437C559178D5260895C79BD29F0D3F66646F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892994Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:32.238{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52677-false10.0.1.12-8000- 23542300x8000000000000000892996Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:43.978{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AF2CEE989249B99E17413A8C2637D3,SHA256=84199958E4CB0374D001721519C36A067F559138767CFADCA15F74A33AD08F85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030521Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030520Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030519Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-73DF-60FE-9479-00000000E601}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030518Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73DF-60FE-9479-00000000E601}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030517Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.980{2E2BE06D-73DF-60FE-9479-00000000E601}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030516Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.323{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AC994828D0BC1E4B21CE6A9BFE7E26,SHA256=B411E396426BD7916FD71F862D8C1E74EC99C638529934356D925F16D8FDA5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892999Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:44.994{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6B54C418F756DED6519EE000A760B7,SHA256=8E8EFFC189AFAFDAA69FD441F040A79884BF876393DD507F5878AFF5C58061DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030536Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.979{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C45F8D529E980BDE001569E2BF64A9D,SHA256=80244AB02DA148C51FC8979A7E43E9CC7B02A8E71AD85A8264B3FC8F3358E74A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030535Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.979{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE1E1F9310CC8138027E09278ED16DA,SHA256=443C2A0DBE0C625BE7C12DA04A3D9ADB0B22979F066989355A8225A3BDC98A8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030534Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73E0-60FE-9579-00000000E601}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030533Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030532Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030531Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030530Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030529Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-73E0-60FE-9579-00000000E601}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030528Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73E0-60FE-9579-00000000E601}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030527Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.667{2E2BE06D-73E0-60FE-9579-00000000E601}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030526Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.323{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AAA60FB6F56ADFBAEB0BC095A2C4C4,SHA256=838096A71F2721F479519987DDCEC78A10C030761DA8B008477250E7B9930F30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892998Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:34.880{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.227-59352-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000892997Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:44.181{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C54D9BA0485ACFA41E00B64FBD52671C,SHA256=19333A51CF793E45BACF254A23D4F0E69B5A360C1706ED5DBCC3ADD8652982FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030525Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.245{2E2BE06D-73DF-60FE-9479-00000000E601}42922980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030524Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73DF-60FE-9479-00000000E601}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030523Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030522Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030546Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.635{2E2BE06D-73E1-60FE-9679-00000000E601}5780760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030545Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73E1-60FE-9679-00000000E601}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030544Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030543Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030542Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030541Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030540Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-73E1-60FE-9679-00000000E601}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030539Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73E1-60FE-9679-00000000E601}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030538Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.355{2E2BE06D-73E1-60FE-9679-00000000E601}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030537Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.323{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42DD3077039C3210A4578679A8403E6,SHA256=7D75780C7FA03B0FB24814CA182342C1214980CCAE622F02B7295F54A7CD2DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893000Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:45.463{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5C4F73CCF2CB899FC81F6EB0F7548902,SHA256=AC45814006598B6BFE030B0F290A31B91ECC8C71E81D00DA59FAB56475352D23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030566Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73E2-60FE-9879-00000000E601}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030565Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030564Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030563Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030562Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030561Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-73E2-60FE-9879-00000000E601}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030560Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73E2-60FE-9879-00000000E601}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030559Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.606{2E2BE06D-73E2-60FE-9879-00000000E601}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030558Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.401{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69E4C54627288315A7EAF22FEED8B88,SHA256=D796169DC1326873DA197408BF0980EEA543D3DA5F878D8E2CDDE16FFB9C56D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030557Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.401{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C45F8D529E980BDE001569E2BF64A9D,SHA256=80244AB02DA148C51FC8979A7E43E9CC7B02A8E71AD85A8264B3FC8F3358E74A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893001Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:46.010{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8805E6985B22A1324E53FC6F1DBB220,SHA256=379346F194DC383753FE7261941DCBAAB80AC949612D4003C7870F0C828D9B7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030556Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.245{2E2BE06D-73E2-60FE-9779-00000000E601}13405624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001030555Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.321{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57573-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001030554Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73E2-60FE-9779-00000000E601}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030553Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030552Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030551Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-73E2-60FE-9779-00000000E601}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030550Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030549Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030548Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73E2-60FE-9779-00000000E601}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030547Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.042{2E2BE06D-73E2-60FE-9779-00000000E601}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030577Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.604{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FC266995BC840832C5EDA38EE995C35,SHA256=16F59E2FF049C174A6B38A35D57C2D2FDA2F60F50B65F777CF11F4D60036EE11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030576Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.573{2E2BE06D-73E3-60FE-9979-00000000E601}20205640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001030575Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.510{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F205438A2E36D676A29AB6B499A234D,SHA256=F3720709C4CB43D989A6E44E8F7559B9AC3563E60EF870E5F664E6EDFB9FD50D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893003Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:38.129{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52678-false10.0.1.12-8000- 23542300x8000000000000000893002Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:47.025{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C5F2F5CA60D0E7C1037CE088872728,SHA256=79CAA50304A3C6004174E897948E8519A5FA23BC85D9DB7EEC1B8C58C991FD57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030574Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73E3-60FE-9979-00000000E601}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030573Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030572Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030571Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030570Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030569Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-73E3-60FE-9979-00000000E601}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030568Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73E3-60FE-9979-00000000E601}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030567Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.292{2E2BE06D-73E3-60FE-9979-00000000E601}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030578Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:48.620{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9BBC6FF5BEF55C1C30A97197F4CC75,SHA256=F5E1B8B229ABD6152B78F264CA1A8D649C50EB0FAEAED99BAE0D79317342DD17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893004Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:48.041{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF80C10EE196AB80411F975A3590707,SHA256=97C101F15496E6BF18A72ACDDD270C355C223D3AC46251C3200D531EDCAD113F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030579Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:49.667{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BE94E3BF6DBA031873825AABB165AE,SHA256=D4E997CB3036165BEB4AD57B80C167D6E82E0E0B8073AE09E4C56D75923AC847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893005Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:49.056{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4714FDF6CD39807FA4FC432A730E8320,SHA256=FBD48EA9623027661E8A43546995FDCE08F2A77C7758E6E3E6BEEAD09B0930A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030581Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:50.713{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCF837D9BE2C651812F6F5A3686E6F9,SHA256=AD533203B9FFDC488F03681BBF35A5FB806C5D882542F0B27122B9957BE19BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893007Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:50.416{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893006Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:50.072{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CEBD9FEAF1B3017119AF044409B100,SHA256=583119F98E002E1396F74EBF49A305262329CFCC0D4A7E59986456B8732F5920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030580Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:50.604{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FACBE9A9FAD0FF4AE8740C76EF9FE7B,SHA256=D412EE482E6957EC3EBD7C60F85D699D10A3B0EE425DDD73C3A8822861515AF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030593Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.839{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73E7-60FE-9A79-00000000E601}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030592Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.823{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030591Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.823{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030590Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.823{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030589Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.823{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030588Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.823{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-73E7-60FE-9A79-00000000E601}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030587Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.823{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73E7-60FE-9A79-00000000E601}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030586Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.808{2E2BE06D-73E7-60FE-9A79-00000000E601}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030585Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.745{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C976D204E9A2CC7E960B7F5A5A608FDB,SHA256=F86C9DC35299247A62BD61C2344408CEA6B9C13B04E5272AD0C0F978CA76F10D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893009Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:42.410{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52679-false10.0.1.12-8089- 23542300x8000000000000000893008Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:51.088{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB80CEE96FD6F3406FB5B00F757D2BC,SHA256=AA387BC7ED2AC442C1391FB8FEDA33E26ADE6627F83C0FAAAB692E7534FCE863,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030584Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.195{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57575-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001030583Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:50.743{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57574-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001030582Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:50.743{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57574-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001030595Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:52.823{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=930FB24CC7F4F441F1315AF7FCADA3C4,SHA256=A7F2AD5596D9A841E130041A46824F31F65D38B7A2A22BB7CBBC46F41568FD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030594Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:52.745{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C931FED91435A93430190ED29608F4,SHA256=2C64F82C3A66F4F5504847ED902E747A1E53F9EE6B30E8C9E79AF13A7AF436BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893010Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:52.103{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC0D7C11E50F289A64E06FA1C4FD57D,SHA256=580C50058D0980B59DCBE383FA8F8F95B6EFC460280C0EE6CFA81C7DD517B402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030596Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:53.760{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470F4B883D96864C77021FBE357D649E,SHA256=42D23575AF597D2BB0F1246C25B4EB4E85037E9D565FDAEF86F858793FDC4C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893011Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:53.119{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CBD4251AD0BD86D9C442E2588B2B57C,SHA256=F72DECA87533402D97E6BD5B22AA917DC171F07002E491CB5AA8BABDFB7DA4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030599Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:54.807{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628687E5CFB06AEBBF2E1EBE1CED6F27,SHA256=90528D16F952E7C4B8942E6B0C2020D2B453EA724D7620577C1C78B7F3168EF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030598Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:53.893{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com3822-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001030597Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:54.166{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F88FF3C063497B9DBB6DDC5EEBB6B64,SHA256=373DDE460A28D43B25977A45D6D5BE6EDD9086CE4BF3C13E53ADB29BD7B07F29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893013Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:44.035{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52680-false10.0.1.12-8000- 23542300x8000000000000000893012Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:54.134{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380C0CCC33A0BEC1D353D7DB52E8239F,SHA256=40CA6ECCAD419689AE9714F663801E4F5D50AFFA1242BAAC326DBEBC7DFF32AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030602Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:55.807{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAB51B2726C3794768ED53069C8C48E,SHA256=E8CA670FF37FE33676593BD09AC9CABA9D9B9BF05140AB29E58CAD5C526E21FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893014Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:55.136{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B8C35DE4DE2FF08C7DD72B1DD94268,SHA256=2B7B8193CDEB7BEBBE29DD932BE772BF8D5C66192932C1451D9E5BFA5A212678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030601Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:55.510{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35F2676CA310EA41EA0512DD6E8C3B32,SHA256=67A0750563185273B49DD7955A7A9B194721F285987626EABF8755D939B4AF14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030600Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:55.070{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.69unn-212-102-35-69.cdn77.com42719-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001030604Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:56.807{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAF1700535ACF19626F13781C73172D,SHA256=A896AF039AD233B0A1678069EECC61CB65A3C194C5DC0AB777EBF80DCA40103D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893015Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:56.137{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A5B24FAE91702C9F4A519CA8F522A8,SHA256=D3F25DA1122769491C30AE7DFB16D4549D50176C6A1C95A80E1C145CE8D7E2F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030603Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:56.321{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57576-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030605Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:57.807{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6064729D8FFFC3846ACC30B010A9709,SHA256=69B07C7A20DB9C7174401EAC61355150229B533F857816A3BBA3A02663861792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893016Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:57.138{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C841ABAD90615B3E13F4A8529FEDE140,SHA256=FD98CF8081D11E6E87A866961934061B080E319D067101A263D9A5ADDD01A953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030606Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:58.823{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22079D7A7893A3C1DF557E6ABDA2E177,SHA256=58EC2FB3FECD53D9A2C542E3BCFB083B354CAF4B722B562775641732B8CF5CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893017Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:58.154{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89964756C6729C06C9DF09B195B77879,SHA256=1C9ADB4D71DDAE70BB716A4882AD8CE6139B4E6F81D36FC6B7FD96D8E90DBC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030607Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:59.854{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3995174AE308D31E51F4CF3CFC7311EF,SHA256=3E41D9DEF1627AF8D655CF7AE923B7AE78C5844157D9AA46A0F88E54EA827938,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893022Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:49.163{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52681-false10.0.1.12-8000- 354300x8000000000000000893021Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:48.951{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net60501-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893020Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:59.201{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5855C4014424F4F68B158AFA8AF1FF76,SHA256=8CDE7E3746D6D6B55FD23279FC86E57C9F0C449A721781014832ED5D7019D713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893019Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:59.201{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DD24ACD6EFB1A83EDC1D962254EA3E7,SHA256=A8FDEC2C6A746B52D1B7475E2506DBA7F62F908575C687CE44A736C61CA92595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893018Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:59.169{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8DADB56D7AED613E3C79B9B04DBDC6,SHA256=19F8922A1C7F33B3DAD5B2D2E685110AC46AE7835857EEFA8ABF903A39E3C619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030608Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:00.885{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC52692630589156B739921F34AF1D5,SHA256=06D034A3C3811BF05FED02A84CC6D07877EECFBDC41AD0ACEC925B032EDDE53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893023Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:00.185{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA98B6F338178B554AC03DD4DD381763,SHA256=D441D0A18BB63A2EBC0114B12650791846177FC399319221E55C70B45BC65166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030609Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:01.995{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9052C08546AFC5B10E5633DB1F15F426,SHA256=9270A60E971C14D774BF1DDA4C63A3F9309B69581CEA0CF53E750D3C0E1E2161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893025Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:01.638{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5855C4014424F4F68B158AFA8AF1FF76,SHA256=8CDE7E3746D6D6B55FD23279FC86E57C9F0C449A721781014832ED5D7019D713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893024Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:01.201{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7B539C35279C27A49C3C8B2422943C,SHA256=BA215F14894B4E50ECBD23C47AD55D016AEB4310B09A8DAC098791A8153F062C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030611Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:02.995{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEEA2069EF3C06EBFEA85901615F524,SHA256=CA0B416C411A3F1414D31492C0A69D73ADB70CAF91C047F5AA24602761F6B208,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893027Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:52.573{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse217.160.191.146-56841-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893026Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:02.216{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048162FB97C4C6BBA572769EA0AE7E26,SHA256=B69B831AB6F9FBB8FAD644FF4D896095D0920AFF0BE87AD6BDEA0AE7CE01043D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030610Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:02.180{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57577-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000893029Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:53.843{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse49.238.204.234-60674-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893028Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:03.232{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866133E4E2FBFAFE8247F76999EC3ED9,SHA256=76EFC190FCB09D56EB70F426FEC63846A20975666D2C092F27233F93F058C02C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893032Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:55.053{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52682-false10.0.1.12-8000- 23542300x8000000000000000893031Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:04.419{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=198F8AE1F4182BE2AF0B43D94E163E6C,SHA256=8DB456EF07DBA119F9DF3783BE305EC6CC201ED8B6E75C3FC93B554877901B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893030Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:04.232{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EB82270234D24C1823077BA5CDA26C,SHA256=687793143AD03D2D5865D7A8F03FA913679D370B27F7967F031347CEEDC448B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030612Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:04.026{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E64F7B9944FAEDCD4F2A72808BFBDF7,SHA256=9E80BFD20086D3A88B9072CB74969EB8C553640BA635BDA51E8AAF2C01DE76E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893033Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:05.248{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45664928533A1C9660538E3E33617A5E,SHA256=06222D827B92490D0E04F378DF8BE0E083626B09A2A0C0A4ED0D7EBD133C4C1A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001030616Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:05.635{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x80000000000000001030615Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:05.635{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\FF0B1A08-CD41-4F90-8CA9-0CD1036C849E\Config SourceDWORD (0x00000001) 13241300x80000000000000001030614Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:05.635{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\FF0B1A08-CD41-4F90-8CA9-0CD1036C849E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_FF0B1A08-CD41-4F90-8CA9-0CD1036C849E.XML 23542300x80000000000000001030613Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:05.182{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A85370B35B32B490F7C9E86220F434,SHA256=69A192F5206F68701760EF4F8B529F52749728C6AD11A975F311561F3F8CD11E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893034Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:06.263{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B539A106366F5B90174102F4F487EACD,SHA256=B6E357074EB76AFC011EBCB4A10F483989DCD29B29A73A2F7C628B11AF8D11B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030625Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.789{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57580-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001030624Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.789{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57580-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001030623Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.781{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57579-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001030622Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.781{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57579-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001030621Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.760{2E2BE06D-6DD8-60FA-0D00-00000000E601}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57578-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 354300x80000000000000001030620Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.760{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57578-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 23542300x80000000000000001030619Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.635{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCFC2A472B89EAD264CB314473E6023D,SHA256=B155FB98A363EE6454843CDC6DF5A62D3E327A29DF1410DA311F542C5FE32401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030618Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.635{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6909037CA2316261CA8E3F4C4F6DCDA9,SHA256=190C225D316E8BDB31F92E1ACCB46EEB31A5D0CE4838722B1A8598EF36718D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030617Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.198{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF525BA86A94FC1CDA2A443F042D42B,SHA256=A2BDDD479D5CD5E61D74BCB429CE5E7304477E8C3C504DD6468B6D4B986236FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893038Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:57.885{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-37836-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 13241300x8000000000000000893037Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:07.436{D94AFF6C-6DD8-60FA-1500-00000000E701}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d781f9-0x4755e635) 23542300x8000000000000000893036Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:07.264{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7591F78B89E9C34B73B292B40BCAACB1,SHA256=6ECF75929A0B58E248963C60D6556ED0A0FEE8072A5D41A25B662CD95DA2C6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030626Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:07.213{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E1FAA6603AA8D5B05DB702E6F7CC6A,SHA256=12BD55558E51DB82BC0714FDACA8B0CD8AB1136FBFC3D540EA1A063B8AF213F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893035Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:07.140{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65626D535D6DCB7F9784742BF783396C,SHA256=CFD865B96F9EECA1AF327B30933D086A991060B97D20CBD1C6381E8E2620BC75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893039Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:08.280{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3971F3C2ADFE9F4DA8CEF53B256ED0,SHA256=1BF26B6CD466629B329F56A71C07FB2B7E7DF3BD0DD95EBD8459863FBA8F00B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030628Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:08.276{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021433B1B7338DB1BE566B2075876EA3,SHA256=77DD7998F8077CA98936739948947D2595901C72040BD3DE1BA2CCDCD6C21B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030627Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:07.258{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57581-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030629Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:09.276{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F6D1FE42485C08903516A92786A5E5,SHA256=C40F095797121F5AD857136F9E877A9503B49AE26D9241B088A24B659D5FCAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893041Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:09.296{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9208AFA015F4B995AC10DD01BDE523E,SHA256=E22F28EC0DD219100045C85EA71F06400CA9A65F8F2B34D52A071D1F97F6DE0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893040Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:59.429{D94AFF6C-6DD8-60FA-1500-00000000E701}1052C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000893043Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:10.296{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C612076D60E0AE604B28D5C5A253910D,SHA256=12B84D4B2A5D379D3AE05D0CF3DC3418AD769AD52974289F913667F7E399D623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030630Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:10.276{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8463BAC3B41E904CA827F533F4335204,SHA256=E4974FDFB49C650B4FC461238A15D7F6968E16E0AA6377995439AEF6F4D238BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893042Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:00.133{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52683-false10.0.1.12-8000- 23542300x8000000000000000893044Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:11.311{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F647EAA6797CA1D3450115EABFB2AAEB,SHA256=5610A60834CC68582312A73C8BB2D3DABF3C73D7BA2501D01969F4389B4EBF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030631Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:11.276{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F737BF19B3A416CD58C1A49EF54B76,SHA256=5A5FABE78D5329A31DF746139D1D266A7019A43F513C8ADFBDF238C8C6712DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893045Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:12.327{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2D80E54B30F060ED7AA30A187B47B9,SHA256=7D45964EF0106A4E84496DF8A41B07AA51F513124C6E513895515CE58820469F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030633Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:12.383{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57582-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030632Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:12.276{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C43F994CF496F1D46C24F36C662CFD,SHA256=68BB4A0F2D4F15F421292529ED83E5185C29774AF33AF3F77134F1142398A1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030634Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:13.340{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D17CC6C0B851AF08D406E03D595C56,SHA256=95A801727A590D6E3031B6309E4F5E001A5831AED251E8A7CC3A873A60D19840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893046Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:13.343{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B081C776FAE8F64853B8EDAF9B28AE5A,SHA256=5939F16691F385EFFE8F89EA8854CEE305562FF942ACDA1B871C98F8D9532B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030635Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:14.340{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933E101546C57363263F0DA001079699,SHA256=AFFC3A83903D86DC84453E407BC5A43BAC5EBA44936E44CE26179B8DE3F97E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893047Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:14.343{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A0F3A32069E9BC1E97A2DDDE0109A1,SHA256=3083BF3972A3E1C9D5339F969E66C9D3C1573B470573C3E7FBED8A670F1B68D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893049Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:05.226{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52684-false10.0.1.12-8000- 23542300x8000000000000000893048Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:15.358{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F2DFF68DF4EF942705B53AC9593E59,SHA256=98EB3D62E213A7D40A76212F71F41F3DC16A9738A3AA85495588500F9DF2E199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030636Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:15.387{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F025DBD700A302AD6DDC78E88E4D36F9,SHA256=B57158434E7A059F3E8C1D1C110D083C74699256C2FECC208E5596FFF8B39AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893050Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:16.374{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C438AE151F22C6B660D8A7AAD0AE36,SHA256=948685C59D79CB67C129D0758E41D9DA6D8E36691EF39C89D0FC0292480C2473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030637Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:16.387{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EE48C2119CA6FB283A41D593A24E76,SHA256=8745279B310684924BAE9A761DD85C07D95D7EC08EC63B330940BF4FC7ACE516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030639Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:17.918{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9F0D2F328F79EF02F2672CCE7FCB64C5,SHA256=8E97DAB565B274A04BA294435D23A058FA513C5F8D3F9350FF75204FD2CD2331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030638Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:17.465{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99315EEA201EB8B196F8CC0677C4CDD4,SHA256=23786F4BC6CADDB459D7C5715121AD675EC1324957498BFE13210F2101B3A199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893051Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:17.389{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730D412F967235C3A0E52AB1D8ADE94B,SHA256=C9B726F8293F25E5126622696426178DA9DF832AADB8B2C60BDAA94FA8CC70AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030641Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:18.307{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57583-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030640Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:18.480{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA89508D5B9E01BBB2B23E0183B68D5,SHA256=BACEFA138A94B95524836F79F0E9DDD4EBDB3A9AED969E2A6C4E3B292551EACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893052Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:18.389{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0620AC1B87C7C60ECB741C2961F96D71,SHA256=5C7F6F3AB555B4335C2B2D64178508544D655853BA1C52955707B39130D00EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030642Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:19.512{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F9145E59FD659E4E4EE18F3466247F,SHA256=C1FCE72F09CE066207C44FF5C33F4A4C5BEBDD39FE60935A8504911B2DC83B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893053Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:19.405{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4857A3824217FB6D784D3303EBD6AE1,SHA256=71E3B637358EAD661C63198F2637D85D77AFEA129C8D8F0CD491CB699E8F2232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893054Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:20.405{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22EA3B99B1DBE48C6DA6FD46F1E69AD,SHA256=88AA0CCCBC3CE9598C4BE7A5E96061B75F350167662A09E469BDFD67A01E3476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030643Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:20.527{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F27CCA19CA9C6D423970414C63449F,SHA256=156C9DC5BA8A7291EFCBFCDF03C4A56CD796ABD96AE5B170190144A08E90946A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030644Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:21.527{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C479C28F1E2BBC8BC8DA87C785331E,SHA256=FD659BF9329119DA3AABADAC7A66830D3F3BCB47B6CED4BEA55D1E16BAF87B1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893056Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:11.133{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52685-false10.0.1.12-8000- 23542300x8000000000000000893055Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:21.421{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878C86D998932A0B6CD7D62925691915,SHA256=B529B90B0FC09F5A65BE6D8459C68FC5BD0AE4F2FBC295040421590408EA9C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030645Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:22.668{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2C21F45F01DE7C85FDE6A7CC077493,SHA256=A2B5F6269CD34AE715C314655C96012009A0AA0C64A4934465BAC517126E4871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893057Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:22.436{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CAF14ADBDE78DC2FE31E5530071510,SHA256=97A01B034D420078540B5CC2F2267DBF2DBD32CDB9520FA6C3AADE5413129A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030646Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:23.670{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF2C6235F29EC5AC409EB00C7A4A893,SHA256=AC89F185DB351058DFDC86C48D3AB4FF0757CA0048DABBDC08310C90E9F63AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893058Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:23.452{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA975825BA50AC4424BAA13F2A7B9117,SHA256=4C946CE04D7D291C20F48FA3C2A8E12E489A554E29E11F74BE5E6604EBA1632B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893059Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:24.468{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4AB324A75C3A3004C9B2A713D7EE39,SHA256=085FE50E8BDF42763FF00CC5D3ED5B89963EABFEDA3E296B4F48F5EF6ABE1888,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030648Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:24.213{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57584-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030647Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:24.673{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7EB4133F7C14FF3A5491EFBA235178,SHA256=0E76D5ACD8D69ACEE15718547362C2DDD769DA8CEB653A61DB82444CF5A69AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030650Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:25.673{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10367A1BE2730DA93A7AC82C92456F3C,SHA256=9A9F0F919BB8D19B5087F209A82C5CEB73925260BDC13A66D07127846AC5473E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893060Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:25.483{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5FC85FC8963716185AA11D3B4C7DA1,SHA256=5D536F3715DBBD8DA55F61799B4D2FA0B5BBAF80A14C3F28E5C09386CB4CD2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030649Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:25.251{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030652Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:26.375{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57585-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001030651Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:26.673{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E0FB8500BD5CFD3F6EFEF0D3144D64,SHA256=6C55A509B242F9A87364FF02C3BEE1884BA7FC66524F6693511A4EC8F0EC9FF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893062Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:16.226{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52686-false10.0.1.12-8000- 23542300x8000000000000000893061Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:26.499{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3638D637F0A02CB55314CC54034D05E0,SHA256=6CA3E937E73F2380947B6D56DDD57FCCE4C812F7DCE72ADB459FDDB8444851FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030653Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:27.673{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE38654BB563C1DCC14D63AF69AAE99,SHA256=D6726B6457CE34F5B768E48A850F3C61EA38BCE05BACCE651ED6D49FBBAE284A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893086Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.967{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-740B-60FE-0479-00000000E701}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893085Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893084Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893083Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893082Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893081Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893080Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893079Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893078Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893077Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893076Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-740B-60FE-0479-00000000E701}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893075Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-740B-60FE-0479-00000000E701}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893074Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.953{D94AFF6C-740B-60FE-0479-00000000E701}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893073Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.514{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5A00305632A9AD2EC7D04A3EE8B870,SHA256=1FCAD186F497BCD66C3CAF26AB59D4E36E06855A4959C9A60E951255D982D438,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000893072Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000893071Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb82361) 13241300x8000000000000000893070Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781f0-0xef7dd904) 13241300x8000000000000000893069Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781f9-0x51424104) 13241300x8000000000000000893068Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78201-0xb306a904) 13241300x8000000000000000893067Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000893066Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb82361) 13241300x8000000000000000893065Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781f0-0xef7dd904) 13241300x8000000000000000893064Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781f9-0x51424104) 13241300x8000000000000000893063Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78201-0xb306a904) 23542300x80000000000000001030654Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:28.673{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF7C35B4BC7608EAEF7E5676CDC6589,SHA256=CBADCD8D5A023F9A009410C5669774642E0CF7F293EA512C6003E3151236B903,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893103Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:19.640{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net52887-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893102Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.983{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E118518F6B01313DC9EFC68BF6F1A20,SHA256=B9B2B455ADC46A15B303B7ED5ED331AA61E9C9DA055F319A8293FC19D84175D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893101Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.983{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B16E6B0483B6256380B6368A70DECBB2,SHA256=7519E44076BC4994CC75D01A66983031510CBD5BE8B29D5FFF5DB6AAC0C0693C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893100Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.639{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-740C-60FE-0579-00000000E701}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893099Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893098Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893097Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893096Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893095Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893094Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893093Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893092Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893091Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893090Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-740C-60FE-0579-00000000E701}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893089Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-740C-60FE-0579-00000000E701}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893088Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-740C-60FE-0579-00000000E701}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893087Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.514{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA89B18E630831047853D3CE6E3F01A,SHA256=620040B108011DEE18CC180EC656AC5244ED470AA4B75B1F0A664D08431E3C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030655Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:29.689{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C103DB3F1BD0FE5A88F74B5E0B2A162E,SHA256=D057C49D8BD7236F0D7B515777AC8529F3F0236D4E5FA74C0F5FC7AF6A880CD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893130Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.983{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-740D-60FE-0779-00000000E701}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893129Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893128Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893127Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893126Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893125Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893124Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893123Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893122Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893121Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893120Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-740D-60FE-0779-00000000E701}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893119Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-740D-60FE-0779-00000000E701}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893118Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.968{D94AFF6C-740D-60FE-0779-00000000E701}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893117Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.639{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C40C38E272FA91AEC4E79BBBA12F567,SHA256=8C584D1CD1291F9A5ADB20E9A133DB27D0239D39626D6A8DE402E1E902C339E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893116Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.311{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-740D-60FE-0679-00000000E701}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893115Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893114Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893113Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893112Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893111Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893110Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893109Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893108Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893107Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893106Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-740D-60FE-0679-00000000E701}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893105Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-740D-60FE-0679-00000000E701}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893104Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-740D-60FE-0679-00000000E701}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030657Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:30.689{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED04FACD9409C86057DF6669C3D761D5,SHA256=B8A0F424E1CAA31F4DDC34C071621336BFCC4BA239E509C54D8600C5896E3B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893133Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:30.858{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAF8D3170DAC83F3F395674E45AEA28,SHA256=3CAFA63B65E0E7E75212AFE3B33142E90AB2D457881309F6606A6DE04AB73110,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030656Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:29.281{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57586-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000893132Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:30.358{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E118518F6B01313DC9EFC68BF6F1A20,SHA256=B9B2B455ADC46A15B303B7ED5ED331AA61E9C9DA055F319A8293FC19D84175D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893131Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:30.092{D94AFF6C-740D-60FE-0779-00000000E701}40802604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001030658Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:31.689{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F492666769DD56B710208FBE3BFEA7D0,SHA256=E5D9F4780BE4F3A7EBB4186D462F7D57DD74412B323F31DC52F0DC5EF1298C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893134Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:31.874{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D260A92815ECEC31621E2401B3809D,SHA256=C8394D2C4722B1B6D8F004E6D38615D1F3368F1DD1C090E73CF5A7F4A36A163C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030659Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:32.705{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932FE7F3D5134A186CB543A8E6D1CC29,SHA256=15BED6D3AA9EBCA1E13BBF531E0C89F377F4A7C1F716529128485E536E982DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893135Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:22.117{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52687-false10.0.1.12-8000- 23542300x80000000000000001030660Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:33.720{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D1D8AFDDA40BCA97C2561DCF4C7282,SHA256=39CDBD43FAFE757441330E8D63F94CFE92C5E7EDDFAB80526C6B4742963DCFFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893136Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:33.061{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9DE2695024AC6E74277937A64B8B8F,SHA256=0A950397A0C95C1BA3B3851760E25E5CABB7231945ABD157447CC4BC0E4A9854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030663Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:34.720{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31F9CE395B559C25C94E46C8E4E739EB,SHA256=0A6DA24FE8B064EC54A331DE927AD674F10D350B26BEB96BA6ED3451AAFF33BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893137Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:34.077{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84ECE05051566893D64FA0CC468E5E10,SHA256=DCCF472D002190D3705385CEF8ADEEBCA6E8E76F0E9272963C505111B7DE4C18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030662Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:34.470{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2900-00000000E601}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030661Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:34.470{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001030664Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:35.736{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D116F577A93D9D119437BD10518BE3E4,SHA256=4835F9E4CBDE81851128AFC0E6A58C983ACE4B2AB83AECCE40AFC1F082A33A8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893152Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.561{D94AFF6C-7413-60FE-0879-00000000E701}19162256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893151Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893150Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893149Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893148Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893147Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893146Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893145Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893144Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893143Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893142Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7413-60FE-0879-00000000E701}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893141Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.436{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7413-60FE-0879-00000000E701}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893140Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.436{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7413-60FE-0879-00000000E701}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893139Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.437{D94AFF6C-7413-60FE-0879-00000000E701}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893138Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.311{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABCCF824DB29B7A591DAF3FBD8F12EE7,SHA256=06309BD0598B7D13FCEB1AD1BCE00C01F2C5CA2DEF1B71DEF980D423D5119271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030670Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:36.736{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F4B6EBE1F91C50EF7FA3F71E924552,SHA256=2B7C1DFB56D5D9BCFBD16C19107A08CA0F129075FC68F2B682775A155D2C8310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893155Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:36.546{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA4D2C11A60009F059FCBA7A83D244C4,SHA256=A307093609540CF85AB3C53319770308CA215B298A7B58DCACA99957CA5C06D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030669Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:35.203{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57587-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001030668Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:36.048{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-CA2B-60FA-580B-00000000E601}4088C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030667Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:36.048{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030666Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:36.048{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1400-00000000E601}688C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030665Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:36.048{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-0C00-00000000E601}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000893154Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:36.452{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F5E0A9C4EEFC54F76DECA0A9D167BBF,SHA256=C4BA4EDE69ED03A4E39893D4224111279E49175EF87EA68121EFF2316456C2D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893153Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:36.452{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=571B1D1A7584E38B9AF28FFFBD782896,SHA256=BA27AF9CA41EC528CEF48B01F0C6BB1E895B6F736B48F0750289925BD892C487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030671Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:37.736{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524D95D8E74E61406E8B2B3FBB857746,SHA256=3CA54C8B9C516B4E9EB5032F27BC7F69E087CA72002C604E2499A910A3474400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893156Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:37.561{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FE7E46DF1944E2A9FAF214CF20C514,SHA256=C0100D504CA5A9612C2FA83B7C79D0C4C24737DFE2C2FD2553E7DD06A50B8943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030672Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:38.751{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07B223DB258FD7E5E5C1F0BE4D5CB46,SHA256=7039D7137463075B0054C89D0B1402E1C78E9BCE966617AAFC1930F31DCBBDFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893158Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:38.655{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D963CF8B6360A7C08C0A3CEEF0C6DB2,SHA256=D0AD1FDB6EF4F00F85688A190DB8C51F2938B05B2436E4D64A3F3DDA52E0D1E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893157Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.085{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52688-false10.0.1.12-8000- 23542300x80000000000000001030673Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:39.767{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24276B68D645F5583D40DA760B12686,SHA256=B5111E15BF4CF853770DB00AF912ADA04CAA74C1A2B3776AFD6EDC12329DF8F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893173Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.671{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46B64CAB1BE5FF3A42283212E237FB4,SHA256=B0BF98FFA5BEF6820F9C307CF96DBEDA480FD29666F6C2AEAA4572182D71EF78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893172Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.624{D94AFF6C-7417-60FE-0979-00000000E701}39881860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893171Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.514{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7417-60FE-0979-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893170Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893169Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893168Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893167Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893166Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893165Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893164Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893163Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893162Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893161Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-7417-60FE-0979-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893160Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7417-60FE-0979-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893159Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-7417-60FE-0979-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030675Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:40.767{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5743E6BD4A1005F70D2B0DD62A1B7F35,SHA256=2652A10288BA985496CF8967904431671AAC935275F0EE3BBAD9746C937FFC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893189Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.686{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E9FD0D5D0747F390E311F5F569C661,SHA256=87D913B5697AD13B1AFA4F1ED0D7973CE9AFC20EE7BF95551EEAB8C7253B6260,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030674Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:40.343{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57588-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000893188Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.514{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F5E0A9C4EEFC54F76DECA0A9D167BBF,SHA256=C4BA4EDE69ED03A4E39893D4224111279E49175EF87EA68121EFF2316456C2D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893187Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.124{D94AFF6C-7418-60FE-0A79-00000000E701}4004208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893186Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7418-60FE-0A79-00000000E701}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893185Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893184Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893183Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893182Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893181Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893180Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893179Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893178Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893177Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893176Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-7418-60FE-0A79-00000000E701}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893175Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.999{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7418-60FE-0A79-00000000E701}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893174Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.000{D94AFF6C-7418-60FE-0A79-00000000E701}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030676Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:41.767{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E398C5FD4C3FA19D7CD0DAEB265076A,SHA256=56AE278F5D95B627B372200035C3700F2B565BBF0C0BC899E6B3AB654BD8806F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893190Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:41.702{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF40378FD0AF31EB502862B08E6AEA15,SHA256=216B8A3C62718BE91A79B4DF476289F2692F75DCFC8F14485A8E1EB3D348D491,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893192Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:33.194{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52689-false10.0.1.12-8000- 23542300x8000000000000000893191Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:42.717{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A321780C1283C2692100DE8921891E7C,SHA256=F53D6E6EAAC7E28B52A946B28508A9E20D4AC63A985D477E985CEAF0FD5DB436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030680Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:42.767{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808C41CAC51C16E90A6DFE184A845D04,SHA256=61F949F056B11CD4A8A1F41F0BAF8D5622AB659A3F0AD3E133449FEC5F184BD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030679Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:42.424{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57589-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001030678Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:42.424{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57589-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 10341000x80000000000000001030677Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:42.251{2E2BE06D-6DD6-60FA-0B00-00000000E601}6364400C:\Windows\system32\lsass.exe{2E2BE06D-6DD3-60FA-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001030695Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-741B-60FE-9B79-00000000E601}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030694Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030693Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030692Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030691Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030690Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-741B-60FE-9B79-00000000E601}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030689Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-741B-60FE-9B79-00000000E601}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030688Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.862{2E2BE06D-741B-60FE-9B79-00000000E601}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030687Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.783{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F40D2ACC2536808DAE163BBB15D5F87,SHA256=DC8D525CB9F2141EC87A03A370B5AF33AE443C1040AE03D0F48FA5E1B05CA5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893193Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:43.733{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE36131C0727924D5B7D601F883A895F,SHA256=1D982FF36EFE72A7E11CEB0FEF51643CBC795685CA2F616FE6BEE3C9BE88F5A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030686Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.294{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57591-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001030685Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.294{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57591-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001030684Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.284{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57590-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001030683Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.284{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57590-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 23542300x80000000000000001030682Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.220{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60D563249C53AFC1A04A6CBF06C5046C,SHA256=E594FB30792C4FD4256E019B8E3A05D903E8D3510D596ACF19B55AF603E72FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030681Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.220{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCFC2A472B89EAD264CB314473E6023D,SHA256=B155FB98A363EE6454843CDC6DF5A62D3E327A29DF1410DA311F542C5FE32401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030705Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.876{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60D563249C53AFC1A04A6CBF06C5046C,SHA256=E594FB30792C4FD4256E019B8E3A05D903E8D3510D596ACF19B55AF603E72FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030704Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.784{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E80B99ACCE399C040EB17E115887BA3,SHA256=CC2526830CCBB14358477E7F28A6F5605B54BFFB8304359CD441A20049A2BB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893194Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:44.749{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85DE025E521A61A566F13BF4AD69F879,SHA256=C3A012E7D585030D42430D8DCABF11CC14E668E8BF83851BDCA56EA8DEBDC17E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030703Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-741C-60FE-9C79-00000000E601}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030702Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030701Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030700Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030699Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030698Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-741C-60FE-9C79-00000000E601}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030697Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-741C-60FE-9C79-00000000E601}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030696Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.549{2E2BE06D-741C-60FE-9C79-00000000E601}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893196Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:45.764{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFBC8C60588BA843BC115117FF23EF0,SHA256=E3F6C649EE082D0EE5F6C2FD89E047558BC05DF16B90F470BD2733ED196E03AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030723Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-741D-60FE-9E79-00000000E601}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030722Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030721Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030720Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030719Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030718Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-741D-60FE-9E79-00000000E601}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030717Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-741D-60FE-9E79-00000000E601}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030716Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.940{2E2BE06D-741D-60FE-9E79-00000000E601}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030715Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.798{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383B0903C1C2B5ECA392F45EA8F500BC,SHA256=7CEDB5E159C4020CEE0F492E4D282422D77099D6C6BF322A27F67696588EEC76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030714Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.455{2E2BE06D-741D-60FE-9D79-00000000E601}27322068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030713Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-741D-60FE-9D79-00000000E601}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030712Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030711Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030710Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030709Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030708Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-741D-60FE-9D79-00000000E601}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030707Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-741D-60FE-9D79-00000000E601}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030706Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.237{2E2BE06D-741D-60FE-9D79-00000000E601}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893195Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:45.467{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7561D611F72034EC914662F2DC542D11,SHA256=D392F385147DC81E8C4EE26C19976EC236ABBF565FC5DEDAE47245D3A97B4AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893197Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:46.780{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250FE543F88D86615649B32AB17DE7BF,SHA256=9A9A5E4678278D281C0149567FB6B5DEA2B954408D74B4F6FE7BCB772360795D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030737Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.830{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087188D237BC02A5996E0A3E0BE8D77D,SHA256=427C8104EA881045F7AD0C9E45B584C6E0125D44E3BB03588896AE19B4770C4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030736Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.814{2E2BE06D-741E-60FE-9F79-00000000E601}66206824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030735Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.642{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-741E-60FE-9F79-00000000E601}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030734Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.626{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030733Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.626{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030732Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.626{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030731Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.626{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030730Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.626{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-741E-60FE-9F79-00000000E601}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030729Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.626{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-741E-60FE-9F79-00000000E601}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030728Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.627{2E2BE06D-741E-60FE-9F79-00000000E601}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001030727Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.218{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57592-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001030726Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.549{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.7-4068-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001030725Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.236{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA064292AE796FCB75749E7547054550,SHA256=B86DEB79CD83EB62939ADAD5E815E61ADEC1FA646CE3F439F30B685D611B2770,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030724Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.142{2E2BE06D-741D-60FE-9E79-00000000E601}46921532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000893198Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:47.796{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED6E6DCA5B2C5266B4AF091960A5C4B,SHA256=60F74D78DBF2C1AA9ED08572DA5584B407590824DEEE9D054C3AE3555469D25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030748Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.830{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF967E1C1796595A1EA724DBAD6A186,SHA256=E87A146402E52028936B00044E92CAFD0AF094CDB5109C1B5491707411F49BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030747Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.658{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDE92C4E434767CE1F6171584A09874B,SHA256=A7A71DEC9AFA150ACC9E0DEC54F5EBA8AA6A6FC3E90C869FD96D25069B1E0870,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030746Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.501{2E2BE06D-741F-60FE-A079-00000000E601}9445216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030745Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-741F-60FE-A079-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030744Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030743Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030742Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030741Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030740Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-741F-60FE-A079-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030739Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-741F-60FE-A079-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030738Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.299{2E2BE06D-741F-60FE-A079-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030749Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:48.830{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE75979E37370328181C696EF506F40,SHA256=17A05324B2BB52DAF5F51E6BCA1CB858457F9DE0BC60CA6A9934FA4D1895B053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893199Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:48.811{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFC94F148090F4EB15C3B53241836C6,SHA256=69DBB0D225EBBEEFF971CC03B71AC4C824625124D8F8BEDF99FEFC5AA81FEBAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893200Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:49.811{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8EE48D781AA2EBD7817920CBCBBCA7,SHA256=F7FCF4B05327476FD4CB089F0DABF7A79AFAAA49E66BA13EEA0167AAACBA296C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030750Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:49.830{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B2EF49640355BEC774BAE50E20D20D,SHA256=198CB60839E5E74274959203C6333D1997E349D13D40985ABD1104CE08CFEA68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893203Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:50.827{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81B9F2C6BEFAEB11EF054922D630F38,SHA256=A63FDC63878B0439123850B7443BD3879314D49513D58CE8482086EC11A82F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030752Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:50.830{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75531EF1DDEE95FF77538F96377CE002,SHA256=0A73BC4C3A89FF3EE41EAB57B6A39671C3DF44DFD0FC010FA644582F553BCD0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893202Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:50.436{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893201Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.085{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52690-false10.0.1.12-8000- 23542300x80000000000000001030751Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:50.642{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CDA8B34537485056275C26970FEAD35,SHA256=D622AA959E58211C9AF414E17E878898029AC6A8FEC9AEF7A45F8350CF020C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030763Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.845{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028C1D13782E951AC5EFFC78A5B90153,SHA256=F01240B0BE95A894DB909F63262680B12412A6B036330B7A30AD44B64669395D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030762Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7423-60FE-A179-00000000E601}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030761Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030760Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030759Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030758Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030757Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-7423-60FE-A179-00000000E601}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030756Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7423-60FE-A179-00000000E601}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030755Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.815{2E2BE06D-7423-60FE-A179-00000000E601}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001030754Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:50.750{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57593-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001030753Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:50.750{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57593-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001030766Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:52.845{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDFFE5D20CA64D4B39259FAE55AFF71F,SHA256=9F204FE1B4190B45A43975AB06C1C5326D1AE3A377A0663027835276A05251F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030765Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:52.845{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A9E9B644E0921E62624EBF7A62C4D7,SHA256=41425D95A380F312608E5925D7A0A40FCAFF2D27DECD2C174C1FF1B3146DFF54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893205Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:42.429{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52691-false10.0.1.12-8089- 23542300x8000000000000000893204Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:52.061{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4713C74450EEC85C92C67DECBD55D17D,SHA256=84A1D1CC03C65E82C310A839145310090ABFC086BB5D71CDCBCE0BF978222C70,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030764Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.343{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57594-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030767Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:53.861{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95ED5EE667A9BC74E258E1156774B2E3,SHA256=A77F422DEFC95C258584CF9FA3A8EB73B663F32D9A94F18480BBB0888798DE9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893206Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:53.155{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C3A0949A80FEBA936E86784963FA7C,SHA256=2DBFDBCFE5F0B36D2989CB454C8CDD5177F6DE32A577EAC649BA21F806DF0446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030768Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:54.892{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC81E198E95F6E23DF159EE004AB0F03,SHA256=971588ECEA140E724D906AEA98FA3E47F0CCA3291E6CECF3CAE402F9DE96DA81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893208Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:44.225{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52692-false10.0.1.12-8000- 23542300x8000000000000000893207Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:54.171{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B9658DC861563B1558BA76009C4BA6,SHA256=4D8C6CF4C824B25F5350FF8E8C101030C60EAD6AFF6D49FB6D70073DFAD5F7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030769Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:55.892{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2C5BF8AAA43BD2AE9E75360EDF7939,SHA256=9B12E6D914D1D461B9233BF754E83C4D48599B8298C767F049D134D9FCA062ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893210Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:55.405{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0FA6E0D4CF96DF9BF90CA2954DC22B,SHA256=A24D680656B3E16B2E8EAAD49395DCB0E637BDC618FE46CC2A761D06D1A80EA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893209Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:45.434{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse107.173.59.121121-59-173-107.reverse-dns49398-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001030770Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:56.893{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B45512DE4F7DF4FD4BCFB80880C45E,SHA256=76F373D219B8F76394A9C995D649EA75565DB77A43BD97BC31CA6220864686E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893213Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:56.952{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6DF8D3A24B5FC4AD6F5EEDDB79D0148,SHA256=E439BBAFF28EAC72FA8484E0828A34157D4ABF8C4C6F5915A6E5F466DCF9ADBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893212Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:56.952{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBF79ECFFB80E531072F4EAFDA86D05A,SHA256=0F13A24FDF7DCDB76602C9BE8DEB9C0C64C6F1CEDDDDBB72531EE228ED1A4E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893211Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:56.624{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57117FF530BA5038EEAC08A37E2CF7B6,SHA256=485C01CE1D87BFDFCB3F87B74B127080F5020636EF1F6F8D7C787B5C15C49ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030772Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:57.908{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A89FB245F882128ECB6B3777102DC81,SHA256=CB91CD7D7F8FE248660CC379D45827DD756C6368C39444842C19DE819596E90E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893214Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:57.657{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7C43901B091701B5AEDCC95C6ACD20,SHA256=14DA00B613BC56BCFD83B2F9DAEAFACB2A006B4F316FEFC4745890D23AABC250,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030771Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:57.171{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57595-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030775Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:58.923{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788F9EA0BEF6B74AA1CCA26CDDE1C19D,SHA256=ADD9BC6D0D62E6D3D5651DCC798C2B0312FA8D3862451E905F37CEDC6E8BC072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893215Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:58.675{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7748DA9D95C1C4A0EAE8E6BD2AF53940,SHA256=D85A6B01D34B35E11CE91B9C9C4B64521ED637CFC6B3A7033D880AB4D4CDB1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030774Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:58.486{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BD9826B8CA828C7BF5AD77AB9564DA7,SHA256=BBA6894A1786AD0508D6FAB1851AB00FB14C5D01E66972EC7FD9244DC8609ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030773Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:58.486{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7FA858D3742C776B7D5F5E95B871D98,SHA256=F2EA881556A49442447AA0D110E90F4C9B5A0D4A21EA277EE0CF876EB86B6955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030786Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:59.923{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D10DC7C7DD0539989F66BB3CB19E9DD,SHA256=15D05FC48A900E69E2223F7B147001ABFEF2E00D7930D0F2186CCC0A2172220C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893217Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:50.136{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52693-false10.0.1.12-8000- 23542300x8000000000000000893216Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:59.753{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792BD0190F061DA5DFE0A10ACEEE4EF2,SHA256=F5704C5CDDD6878EF17646401790947DC21E3B083504BC7E6C2695A204B85D8F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001030785Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001030784Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb8d155) 13241300x80000000000000001030783Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781f1-0x0459637f) 13241300x80000000000000001030782Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781f9-0x661dcb7f) 13241300x80000000000000001030781Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78201-0xc7e2337f) 13241300x80000000000000001030780Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001030779Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb8d155) 13241300x80000000000000001030778Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781f1-0x0459637f) 13241300x80000000000000001030777Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781f9-0x661dcb7f) 13241300x80000000000000001030776Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78201-0xc7e2337f) 23542300x80000000000000001030788Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:00.939{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E603205CCEF1C8671AE2A0C6B33DB9,SHA256=9A25614ACAE02ED24774D1AD2AA570A666F2695B4081841FFF3F3C87C3ECDB31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893218Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:00.925{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023DB1E83DE7059B17EB33A03B4E6582,SHA256=9C42DB2AE891FE3D3BE9C34EDEDBC851EC11579015EAD0F7C5E66816254C1D4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030787Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:00.173{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2900-00000000E601}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001030789Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:01.939{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE5E9789D8EB340A5B3DAEBE70F863E,SHA256=BCCC29086E8147DB23068C98BAB1D376B623CF687EC5538B877FEC55273BA620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893221Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:01.940{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5FAFF039F2ECE1844B0CE3430FAF9E,SHA256=1A54274AAC9A3004924081909182A567DED4E5EBEDA81F9E7CFDDB3C2BD066F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893220Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:52.304{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-33306-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893219Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:01.440{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6DF8D3A24B5FC4AD6F5EEDDB79D0148,SHA256=E439BBAFF28EAC72FA8484E0828A34157D4ABF8C4C6F5915A6E5F466DCF9ADBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030791Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:02.954{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14574FCED2BED12502E8B3C6F31AD93,SHA256=9A202AF4C263954E04E82713711DFE7D2F923DD7B3E90C0555A76F10C01A2724,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030790Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:02.265{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57596-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000893223Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:02.941{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E518DFA46EB4BFE20C04D994CE959964,SHA256=E6803290D4D832A37D1181602732D7DB84281BD9670C998864F1314B3744C338,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893222Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:52.649{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net64914-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001030792Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:03.970{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0D2F0F594A536C2314C0D7C470FB92,SHA256=678AB5BEE4D4FC06031DA738991B2363F267B283A462DE6C1851E238236CC0F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893224Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:03.956{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAFAFC82402217405AD18F2DADE6DB2,SHA256=406CCCC2DCCEF7751469477A1DAE051406A40C27B88B36D620E479D407E3C011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030793Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:04.970{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197CF5A98816876BA3BAEDEE0E9A9EF8,SHA256=E271CC0243323020A66E1165DE8DAC9D1A0570F99F2A522F29F286B62A5955AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893225Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:05.050{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698896D7CD632959F5B7F8EB785D36AF,SHA256=C4E8C7A649881092E06DEED5969ACA6D9716609B8BEC014FF2D03065ED5AF5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030794Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:06.220{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5969F07AB9F692BF3F19533355ACEAD2,SHA256=A937A24FB00EF76FCDA235947691848FFE9C8CEEFA866A84DC9643630E18FACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893227Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:06.144{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317B1A5F6FD11F7A65F2DFA95CA8A5BE,SHA256=B0AAA562E4F0EA6CD577209CA0F02CD55332A05D3C37B7638AA6CF016DF1DA20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893226Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:56.057{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52694-false10.0.1.12-8000- 23542300x80000000000000001030795Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:07.251{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504E01933B93189C377AF0EF1A4E1ED3,SHA256=0018C8B2C30440B19F55D134924A7B12B85A55A95FD384B0AE5A9ED7A4F31D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893228Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:07.159{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBB0B80EBBC6AF7309482C84C7EF7A5,SHA256=044D19CD19E2A2B69E16694CA8AEDB45624B8A5CF242283718675A2B41D74D09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030797Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:07.343{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57597-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030796Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:08.267{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A57E948F0CAFD123F3B9E4B5EFA26F9,SHA256=177646A4F7504ECF7AD2A38732B0B903B37E7CEF865CC17CDF4D798BE4B626D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893229Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:08.206{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5774EFD941A245FD5A314051B923620F,SHA256=FAE2B7B98E7FB8E01FE9F3BC22F59EC035A5742C31DE9AEF4140EC72F8EAA918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030798Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:09.283{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C874CACE56C8BCB31A171D95CE2E532E,SHA256=0D1B7F465A79A00F36DF2BF572256EB5984C5C852117BF72261A5E3FF351B56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893232Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:09.784{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2157B80EB3173F86EAEDB27A63D2CACB,SHA256=8155CFE8B2CF828C4B48563C2DD10CFB1246A9430D227751D7CC730125E5A4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893231Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:09.784{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54928EBBE420F7FAE2BE0D8BC476FDA7,SHA256=A0D42A02B257E03F96241036E439D330FBF9D3E8CF8506ADCDC41FBF5CADD2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893230Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:09.269{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D689A6EE64190992AB5721C9E39CD5C0,SHA256=4FC02BCCE5A2DD5EAA44D0541C6848C199A7F7F6C5DCA5C38E939360F95D4536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030799Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:10.298{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D38F780666C140B087B11A457C047F3,SHA256=5F2222E546F07142B5C5CCE4FC77F2E9B81F9311293D2D630CB53AE507B08F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893234Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:10.284{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46754580309D8F85AD080E4DC099413B,SHA256=630973122D99B66DC6393FE4AB50BB6B572D75154ACA89EA9D1701134B38555B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893233Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:00.051{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net60191-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893235Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:11.362{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333256FF1EB96B6FB92154412450457F,SHA256=E19F9BE08306ECA9F856CCC5432CDD2AF59C9F6FD396F97DD773497166DDF5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030802Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:11.720{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B563CF9C76B1725DF678D1111CB5678,SHA256=EA6F22D2A9857012E2CCD076CCAC1E1C7BAA6D6244408F5FE3FDE52614747E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030801Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:11.720{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BD9826B8CA828C7BF5AD77AB9564DA7,SHA256=BBA6894A1786AD0508D6FAB1851AB00FB14C5D01E66972EC7FD9244DC8609ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030800Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:11.392{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A501228D078F12959E01C69737BEC39,SHA256=E70768002B8325311068F0A9D9C5C6B864335631D6CEF5E9AC40089A43EB09BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893237Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:12.409{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4EDD2F293CD0E302C11174E740B9C99,SHA256=CB0571FFC06880B4EE10D806CD2D0FCE9853DB7D09330E30CF47DBC7A299561E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030804Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:11.249{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com46710-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001030803Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:12.408{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFA999CFB412449BD1F8810243DA2C6,SHA256=9B7C205B0E703700E54A76E28EB16432901ACC10F39BE8BFC76662C723C2855E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893236Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:02.120{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52695-false10.0.1.12-8000- 23542300x8000000000000000893238Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:13.644{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73540F7D1FC3202D5382F913B13DE1F0,SHA256=FD3C7DB5E8E0FA0F4C41F7E200B271A0FF21916EB3986D9903F20DFECBFCBC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030805Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:13.454{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5117C18BEE577A527FD49B844DC55FC,SHA256=0730EF158F659DE2899B2CC663D7CFCCC1DFFB21FE11F256627B36AE71C627DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893239Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:14.675{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B650AA994D08E32CF5EE79CB6C53C26A,SHA256=30E48FAD9732D051A7AFB8550B2CF29CA94F47C0FD781E40BA315CC167349F33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030807Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:13.250{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57598-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030806Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:14.470{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC5A75581A969F594C8968A829E7E29,SHA256=B4C5086F0DF84C302AF360C47E62BFB8CCACD40766B21093747B5FF0A110AF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893240Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:15.847{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A817CDFDC88769F3F94319187EED96A2,SHA256=BB2927F7EF7B48BFDFE28A95EB1A82054577E1D337420089E3C79104453D0BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030808Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:15.486{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A66235CEF006783ABEDB8E7E25878A,SHA256=F13DFBBB607C6CF587210BB06DA18B0C1697E1F56289E8A46AD75EF5666FB20E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893241Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:16.862{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1A4D0E07F8AE38A3E8360F5569ABB8,SHA256=64BF09BA9FC3D22B76EB2FFB49A0A1900A4BC0CC1EBB37A149BB10EB054DF0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030809Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:16.720{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1498F65180C237B1E712595ECF9A1AF,SHA256=615064B3F530C2CEDD9D079CFF743E3C43B26D4EB7DF189717D184FBB4BADE33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893243Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:17.925{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BB3C7CAA24C48BD283EAF2CEB199A3,SHA256=5D9F8F0C0C5E1EF3F8DD9723F643C94D200CDF1E703F44CE6CB6B71C1E6AC066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030811Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:17.923{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=12BE928DFCC01A6E368686F05FBA31AE,SHA256=60BEDB81A4B85C400B210D336A2C4CA68301DFF55EA74306B69151F6E1DD8CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030810Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:17.736{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7D44C73E689700A11F5E86E2E2F2E4,SHA256=CA86F9A6B24C9AC9A443E9F0B979D502985A517A5E5FD34BCA54A963B9F6818A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893242Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:07.261{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52696-false10.0.1.12-8000- 23542300x80000000000000001030812Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:18.751{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB05262EEAE20AACE1979433D3F8DF91,SHA256=7E18C02991BCC6034F4944546FBFFF1C12A839F57A01CCB6FD50911F8A06A116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030814Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:19.830{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=868B8B8EED031B601D2E000A155DA851,SHA256=F4D20ED49196AD4A1763FFF7E877CE711C2194CA4E2B6FA22ED07C9F96942A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893244Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:19.034{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08C6219BB1053BFC7936A361D81B751,SHA256=EF92140092A551B443D568AADCFD872D7255F03D07F004337F62E7304A2917FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030813Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:19.171{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57599-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030815Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:20.861{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B104E520E516155A06DD874223607E03,SHA256=B0029B562E99EF9A862A85B2ED4981D1202E229CA97311A56CEFE3FBE244BDF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893246Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:09.589{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:7d9e:68ad:2370:b7c0win-host-702.eu-central-1.compute.internal546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000893245Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:20.081{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C766406A824FEE3FCFC85ED1D8E76FD,SHA256=B902E34D3401FBD35197FC10B3F794BB58A1058E4E3057CB83D2545D0B60C1AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030816Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:21.861{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9228B1E95B4F7FBBBB534F35361ADA,SHA256=B471FD3C4E0EDC08F7CCB74D88957E85F9BAF8FA17407572E0D502F4C0C8359A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893250Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:11.500{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.227-60283-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893249Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:21.206{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A118AD6BA763C7AD4B5236BB5028C0B,SHA256=88B647DEF50322C9862043222D2F7EFB9E9F5F771182DEF6241DF2A64A4F5802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893248Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:21.175{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA04F538FCC8247DA467D042B55C140B,SHA256=041B29A251BD0863F0ED2A743BFCA5F3AB2AC880FB1189A9558AC41DA01D8AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893247Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:21.175{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2157B80EB3173F86EAEDB27A63D2CACB,SHA256=8155CFE8B2CF828C4B48563C2DD10CFB1246A9430D227751D7CC730125E5A4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030817Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:22.861{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCB22E8B4E179B5274D02CB2DC20884,SHA256=4EF9A1A521E0F4DF9B671817EDA5FE9321F4B2AA85E14133D1B2DF645444BDC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893252Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:13.213{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52697-false10.0.1.12-8000- 23542300x8000000000000000893251Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:22.269{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87E147BED4ACB8B0733C6A545EE133E,SHA256=54813FA6FA91F72E2FE7965FDA18AA2787C146128C03DC6C86EB36C1D857D2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030818Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:23.878{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34F95899707A3AD57F9BEB4EBEE3F90,SHA256=51B97746463F6662089B8E536D49E13A05438EB536A5DD880019042F48ED2804,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893255Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:14.021{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-46163-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893254Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:23.597{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA04F538FCC8247DA467D042B55C140B,SHA256=041B29A251BD0863F0ED2A743BFCA5F3AB2AC880FB1189A9558AC41DA01D8AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893253Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:23.284{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C1F2D84DAB0CBFB7142953A3B08AD64,SHA256=7166F8B49F3BE88572C57F8381BCE7A0197D09CBC0AA55D77FE1E764A0B6640F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030819Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:24.890{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4032AD9FB74EC662732F374B5D158E3,SHA256=E314696FE043B69FD46DA8DEF8B108D3966581691994C3C6CE43610B37EC5984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893256Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:24.347{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4540C2B8FD9602306940E8D5B7EA7D92,SHA256=F647569E245448BBA6FD44FAE848F73EAE233B0221977BA4DB2B982F2B7E4298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030822Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:25.893{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02ECC957264124D1489EDDFD84EF52E4,SHA256=11E59818A95793624E7F5E72843B71DC1BDDFAADCD28E654B6CA05C16E939562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893257Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:25.362{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D5EA8BBEBB1ADA6A9EA04CA1811ED4C,SHA256=1EE15DAD477044DCFBDFEDFAC58DFBBD0B9CFC938F054261B4EF3A48B9757E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030821Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:25.280{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030820Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:24.296{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57600-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030823Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:26.893{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E2404D24766C4A076803CDD441A3AA,SHA256=3D8B1240FC1D3D0FC6437F7F47E02896C4E779A3E07245F675023D8C9DAC6FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893258Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:26.378{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9638C8DC8F02B9A3F6898924350190E,SHA256=A5FDFFE976CD0429B6DBEB9D35D2B0C8B7AFE7041D4414E6DC617C18F082D722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030825Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:27.925{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04379DD23AE2A681D825C6C1127C569B,SHA256=4415BA3D0BC9B230E5D8C8AA6D27DE2F2CBCD92BBA81E669428315EE71D7AE74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893272Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.972{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7447-60FE-0B79-00000000E701}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893271Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.956{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893270Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.956{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893269Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.956{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893268Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.956{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893267Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.956{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893266Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.956{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893265Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.956{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893264Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.956{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893263Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.956{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893262Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.956{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-7447-60FE-0B79-00000000E701}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893261Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.956{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7447-60FE-0B79-00000000E701}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893260Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.957{D94AFF6C-7447-60FE-0B79-00000000E701}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893259Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:27.456{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1179903103F06056B2059130004E3819,SHA256=10C5EDE3EC98AAA647BA11F7402ADD331418850C93D7114AF17DED578984EE4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030824Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:26.404{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57601-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001030826Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:28.972{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A7D080ECAECD61CF79F9BB1DACD2AB,SHA256=A86264B5D1B78DCF3FACCD8A16D27AA116EF3E896FA60467307EEF6F41FC1061,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893286Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.644{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7448-60FE-0C79-00000000E701}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893285Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.628{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893284Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.628{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893283Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.628{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893282Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.628{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893281Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.628{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893280Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.628{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893279Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.628{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893278Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.628{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893277Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.628{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893276Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.628{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-7448-60FE-0C79-00000000E701}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893275Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.628{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7448-60FE-0C79-00000000E701}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893274Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.628{D94AFF6C-7448-60FE-0C79-00000000E701}1596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893273Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:28.487{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96CBF9456505936DD2898E663169583,SHA256=429C36D5EDD594B1B35178239EB960CE3B93F4C5BF33AABAAE982C5A6DBE8986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893318Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.987{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7449-60FE-0E79-00000000E701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893317Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.972{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893316Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.972{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893315Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.972{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893314Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.972{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893313Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.972{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893312Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.972{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893311Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.972{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893310Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.972{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893309Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.972{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893308Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.972{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7449-60FE-0E79-00000000E701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893307Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.972{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7449-60FE-0E79-00000000E701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893306Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.972{D94AFF6C-7449-60FE-0E79-00000000E701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893305Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.659{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0E37194C6848DD57F7191B1ABA0B50,SHA256=396326EBED95B379FA89626609C87F59D3DFF7C21B43F0B64C3C18FD61CDA7B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893304Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.425{D94AFF6C-7449-60FE-0D79-00000000E701}21802900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893303Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.315{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7449-60FE-0D79-00000000E701}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893302Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.300{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893301Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.300{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893300Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.300{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893299Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.300{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893298Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.300{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893297Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.300{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893296Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.300{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893295Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.300{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893294Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.300{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893293Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.300{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-7449-60FE-0D79-00000000E701}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893292Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.300{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7449-60FE-0D79-00000000E701}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893291Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.300{D94AFF6C-7449-60FE-0D79-00000000E701}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893290Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.019{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02B8A9D80F8277F47BE56FD6C0B16BB0,SHA256=3D709A1D2350901B324D4F8EFC5B0A531E11425CF7297B72273F4995D6941B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893289Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:29.019{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C95B42D7327276ED916E67D71E27B325,SHA256=82165BD34A6B9835EC744E46CC280A2D0B9490614DC1D0459C286F2F719ACF69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893288Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:19.119{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52698-false10.0.1.12-8000- 354300x8000000000000000893287Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:19.061{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net61331-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893320Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:30.894{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352F7370D519E6BA858E5A72C5C15B6E,SHA256=7117002C459EBACB892167756BDB48A65285852A8BE519E2610FC94051FC1A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030827Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:30.018{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BC9E67E10E68D170C4FE60BB164C7B,SHA256=B280EED9417E7A4B46EA2553356BF7BB793DA21DFE49227097D7B0681629A629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893319Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:30.315{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02B8A9D80F8277F47BE56FD6C0B16BB0,SHA256=3D709A1D2350901B324D4F8EFC5B0A531E11425CF7297B72273F4995D6941B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893321Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:31.940{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D916634F20FAC209D304BB6E47DDC666,SHA256=77AC0320397E6EBE366A6D6A28EDAFB3CFF6A563B0EF7481C7043FADE758B298,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030829Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:30.157{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57602-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030828Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:31.096{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1DECAD90E652A36C65BA7EE2CEF0CF,SHA256=FEDBCED90EE2C62F54FE5624735CBC44896FB0655FD6FA376E51FC1768422873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030830Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:32.097{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB043AAD94E80D195F11CA706FFBE6A1,SHA256=D4B51A1237098B5FCA539A39AEEA438D943CE4F1DC8B1BD3882CECD528641F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893322Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:33.050{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFEBFECF139224D92AD725A22A3C7AE,SHA256=427E79ED70D3BB2B0ABAAE296B328B20B6AEA9EEEA30E0EB569DA0B05C2CEFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030831Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:33.128{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0BDFCAAC69BA27DB9C24C15378A8EA,SHA256=AB35DA000063376AE3778F1A38469704ABDE42F6BE99D7DAFAEA1CC65294D4BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893324Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:24.213{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52699-false10.0.1.12-8000- 23542300x8000000000000000893323Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:34.065{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4C700697EF064ECC2F9F7BACB3DCC0,SHA256=790093D880AAEF665365FBADD7629F38BFF44E11DEFC098D5E350342FAED14DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030832Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:34.128{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA13DEFC0BDBAE4419356D49656CBDAC,SHA256=C3663D2037E2A34C01EB76E50322058322A8B3C3A2E98803E70F29262CF24E0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893339Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.565{D94AFF6C-744F-60FE-0F79-00000000E701}10923164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893338Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.456{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-744F-60FE-0F79-00000000E701}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893337Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.456{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893336Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.456{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893335Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.456{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893334Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.456{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893333Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.456{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893332Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.456{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893331Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.440{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893330Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.440{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893329Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.440{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893328Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.440{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-744F-60FE-0F79-00000000E701}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893327Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.440{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-744F-60FE-0F79-00000000E701}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893326Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.441{D94AFF6C-744F-60FE-0F79-00000000E701}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893325Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:35.065{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55975682123AD50E237482CC2D9905D4,SHA256=AB36E19C951B6A9E1ADCAA4D46F936D8A0A0413B3FEE63BC1AD89BA8D96038BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030834Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:35.235{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57603-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030833Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:35.143{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88529B9A0E26ED7AEC483C142FB7FB3,SHA256=59A228180EED3A812662E3B6919DBC3B4673873436F72EAC95FF2CBAE09DE61B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893342Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:36.659{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5ED9E935BE9F7360E27E7C277E50838,SHA256=0BC8C21C41A020EC1CC96FC4FB7678659FC588E89DD5756A6E42534B722ECE48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893341Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:36.659{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A7CC47ABC4D515ED2321BBE5DE5430E,SHA256=B1AB66E1E6FCA76C0FD47B5D2B88B71EDFC82E87871161225195170062314D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893340Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:36.128{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252B9EB0DF74F771182AA5BE4054162A,SHA256=8E88E8D604743870914C88440703999295481CFB9E37A7C725966824FD5EC127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030835Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:36.175{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5688EF09B829E3F415F5052884FE2D,SHA256=462B61892D0039B0E142366FD095885B29D5734991FDC9F57E76A8F3F9D17E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893343Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:37.144{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3395004B24F1D1920FAFB0A9B0998E9,SHA256=F98408F1E221A5018EDF3EF738B126BD21F3D4BEF966E0AC4233B3CCC929143B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030836Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:37.190{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D757FEBB54964005007E7ADC5375E9,SHA256=098D86AC364C4E2EE22D721C71E79A6139E42862031D67E0C7AF402E73E3B3ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893344Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:38.362{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B185F97BEC10054B836055A24BC3231D,SHA256=3FBA86CF8FF3A3CDE4862A858A3595E96C1B8DAFC358D5172C6891A4D90968E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030837Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:38.190{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E944EF6A142485AA907BD20AC4BDEE41,SHA256=C0F4AC119938066E05B373D7539247DBA8DE5A079B459263F97DB1F750C2D89B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893360Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:30.135{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52700-false10.0.1.12-8000- 10341000x8000000000000000893359Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.643{D94AFF6C-7453-60FE-1079-00000000E701}604920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893358Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.518{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7453-60FE-1079-00000000E701}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893357Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.503{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893356Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.503{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893355Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.503{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893354Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.503{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893353Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.503{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893352Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.503{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893351Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.503{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893350Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.503{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893349Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.503{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893348Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.503{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7453-60FE-1079-00000000E701}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893347Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.503{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7453-60FE-1079-00000000E701}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893346Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.504{D94AFF6C-7453-60FE-1079-00000000E701}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893345Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.425{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03A1683CDDC1F93C7046782251917E4,SHA256=164CB00E405673B0D6C1D2CB5A91623CD746C336DBDCF2BF85BBF12472669ED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030838Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:39.190{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3A5E02C3BCF3DB1B69AA5346F1F3C0,SHA256=12142CCD74B26A49C007CFD2F9F29C659C7F6CE4D18884620270A974D87A381E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893376Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.722{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3971D3EA5ACEA701F3348ED9BAAD06DB,SHA256=4319F7D0E5293150F0D89FB732E81A2359AF9F13FFCF40740DFAD0E2DCC8B89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893375Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.722{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5ED9E935BE9F7360E27E7C277E50838,SHA256=0BC8C21C41A020EC1CC96FC4FB7678659FC588E89DD5756A6E42534B722ECE48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030839Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:40.206{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B21AF809B7F6E13262E9E505D01E05B,SHA256=79CA73DF006045B63D4D3B77115CDAA6BFD238171A36F7CC9DB4D926A6EA2831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893374Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.300{D94AFF6C-7454-60FE-1179-00000000E701}3652640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893373Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.190{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7454-60FE-1179-00000000E701}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893372Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.175{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893371Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.175{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893370Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.175{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893369Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.175{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893368Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.175{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893367Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.175{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893366Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.175{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893365Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.175{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893364Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.175{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893363Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.175{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-7454-60FE-1179-00000000E701}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893362Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.175{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7454-60FE-1179-00000000E701}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893361Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:40.175{D94AFF6C-7454-60FE-1179-00000000E701}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893377Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:41.956{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6568290730096222907DD5A1B808A242,SHA256=CCD89CBBA10913CCE34F4BCF1777C5570A3EC7EE2C5878EC95BF2D5A90B74AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030840Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:41.206{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2BD43F9FE81A4B65EAF4E1DB2E06A3E,SHA256=38004E3676CDEBC7C7496F1E0D13AF85D01DFBB15443AC9D751970183F2B7A00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030842Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:41.173{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57604-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030841Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:42.206{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A8204DAC73FAA66E8498D915EE06BB,SHA256=FD4E5A18C39029955435DA64893322B71C898751D493938DC2DA8B7C23F96F94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030851Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:43.878{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7457-60FE-A279-00000000E601}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030850Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:43.878{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030849Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:43.878{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030848Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:43.878{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030847Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:43.878{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030846Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:43.878{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-7457-60FE-A279-00000000E601}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030845Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:43.878{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7457-60FE-A279-00000000E601}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030844Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:43.863{2E2BE06D-7457-60FE-A279-00000000E601}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030843Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:43.206{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1684242589429D3EEC55CA16FC48F57D,SHA256=098569D8B4670C3AA5D754C0E779D43CA9CB9E971AED4C7577117C0A6659D070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893378Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:43.003{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B6240E58EE0221DBF40B83FAD5BF7B,SHA256=A351AE352615A889BB711E9BB9CB14D7BDACE2F2F17F6ED9A6987D729388AB6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893379Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:44.175{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95294F5F3A1DC154BE9E05484D65F68B,SHA256=A74EA0EEE7BB5E2B7FDCCF72944251ACE053338AEF08B21DFC331B269F34851F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030863Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:44.878{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6FC1438A109FADB915C315F06108479,SHA256=FA38906A240E8B54F9BB8A8CE6B14D4B1E3435C8D7D21CA4FB69B28658603CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030862Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:44.878{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B563CF9C76B1725DF678D1111CB5678,SHA256=EA6F22D2A9857012E2CCD076CCAC1E1C7BAA6D6244408F5FE3FDE52614747E22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030861Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:44.565{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7458-60FE-A379-00000000E601}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030860Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:44.550{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030859Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:44.550{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030858Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:44.550{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030857Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:44.550{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030856Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:44.550{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-7458-60FE-A379-00000000E601}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030855Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:44.550{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7458-60FE-A379-00000000E601}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030854Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:44.550{2E2BE06D-7458-60FE-A379-00000000E601}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030853Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:44.206{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C15F451A2FDCA17E1111714FD2C7C5,SHA256=4131CF1D0CE170EFE7BCE1016B77B730545518AA1F1010D1B082C667D2EE634C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030852Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:44.143{2E2BE06D-7457-60FE-A279-00000000E601}42084960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000893382Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:36.072{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52701-false10.0.1.12-8000- 23542300x8000000000000000893381Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:45.472{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6A061F09A182622BA94073F5E4C4AC37,SHA256=81261F04A1C7ED969B76418B14C9B8B2E0B23A6DCA279C5E32DF03C0EE5E85D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893380Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:45.378{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F65F4D5BB8CD4023A3400EF294C244,SHA256=03780A96FC01E095DFA7BE37DABAF98719F82FF1593630A6BC6F8121C1943F12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030882Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.956{2E2BE06D-7459-60FE-A579-00000000E601}27246484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030881Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.753{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7459-60FE-A579-00000000E601}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030880Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.753{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030879Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.753{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030878Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.737{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030877Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.737{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030876Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.737{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7459-60FE-A579-00000000E601}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030875Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.737{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7459-60FE-A579-00000000E601}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030874Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.738{2E2BE06D-7459-60FE-A579-00000000E601}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001030873Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.268{2E2BE06D-7459-60FE-A479-00000000E601}6605868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001030872Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.221{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66C725B49A7CD1DA17FCDB081943EA3,SHA256=F14F8C065AD8F7E5F0A129671C783DC8F57DA98A1C0CB7A2ACFB9D18F25356DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030871Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.065{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7459-60FE-A479-00000000E601}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030870Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.065{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030869Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.065{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030868Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.065{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030867Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.065{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030866Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.065{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7459-60FE-A479-00000000E601}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030865Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.065{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7459-60FE-A479-00000000E601}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030864Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:45.051{2E2BE06D-7459-60FE-A479-00000000E601}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001030894Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:46.628{2E2BE06D-745A-60FE-A679-00000000E601}66606380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001030893Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:46.236{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57605-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001030892Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:46.425{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-745A-60FE-A679-00000000E601}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030891Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:46.425{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030890Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:46.425{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030889Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:46.425{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030888Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:46.425{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030887Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:46.425{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-745A-60FE-A679-00000000E601}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030886Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:46.425{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-745A-60FE-A679-00000000E601}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030885Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:46.411{2E2BE06D-745A-60FE-A679-00000000E601}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030884Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:46.222{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F829BD592E5C8132399A83675FD609D,SHA256=6EBB431310E7C11095D4508AE2A7D2FAC4A51CB9BEA16EBC0C2F67AD823EB633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893383Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:46.409{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A438D455144D0D24C2EAABF1FE36ACF,SHA256=CBED953D381CA61EB5BE712250BBFDD76A89D4FCD38343B1132DD474625EC89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030883Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:46.065{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6FC1438A109FADB915C315F06108479,SHA256=FA38906A240E8B54F9BB8A8CE6B14D4B1E3435C8D7D21CA4FB69B28658603CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030904Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:47.409{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E01138808E5C13034B3A41BDB08A81C,SHA256=64C7E0860F0308FBCF7A41DF64841086F306BF68D1330D933381376B13C76559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030903Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:47.237{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03FBC05AAB584563F6ED0CDCFEAB099,SHA256=AD0F43392951EACF7279930DD3AD291B2E05C66AB17C3B217BFBC8699B53CA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893384Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:47.440{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E65920363078C67658C2E5D2ED17879,SHA256=4B93A6762C4BAD1BA70B0C262951F197E11AC2F77C286D555DCD3497D7A3D900,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030902Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:47.112{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-745B-60FE-A779-00000000E601}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030901Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:47.112{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030900Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:47.112{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030899Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:47.112{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-745B-60FE-A779-00000000E601}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030898Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:47.112{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030897Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:47.112{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030896Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:47.112{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-745B-60FE-A779-00000000E601}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030895Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:47.097{2E2BE06D-745B-60FE-A779-00000000E601}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893387Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:48.472{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C9F847A59369762816405E2EA7F8E8,SHA256=7DA5B4A581F05891751BC893E9F748A4D82A7F0AD25C49682D39BD58B160E2C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030905Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:48.237{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFD8E4B6442C4D941ADCA224D4C76FF,SHA256=BA5CBB2598A8D8EEE2AD23707F79C906724E8A48B123574A065BE7B9670486A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893386Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:48.440{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8EE5C864650659FBBEA0BD192C9E5C4,SHA256=9276D01EC23CCF9494997D0304CF2A65AE6F48063EAD6D2EBEC0B51E3465260B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893385Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:48.440{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07E3DDDA4DB7B46CDCF26DE708F3C19B,SHA256=F5469514F47EFDEC59AD611C71F9DB889ED5DAF1AEB5641009F1CAAA61694C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893389Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:49.581{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5A1681C607E1342F3C438260238BE1,SHA256=090C9D75EA7D2A1917F40F0C8856B1A59555D8B41AB68B66A33189AC2A234F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030906Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:49.237{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223F6F2E0135253FA85DD6A321733093,SHA256=12F6C1627F267784601140B9A7D748CF824E4B2F9A742D994A83D4ED0D3CDC90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893388Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:39.212{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-25810-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893391Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:50.597{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30188725AAD45723261E9F8584A9BDC5,SHA256=ED8B1A4BF8C57012362FD489D8E760B03821551429D135488EB61BCDFED696FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030908Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:50.612{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=618ED29A8C09C1797A644CA22773F6B2,SHA256=181116BD6F4ADE3C6A2F3CD152802FB4F2A53D2311B749B6993D97921E140A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030907Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:50.253{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA0BE6E495BEB905D3F70230532A332,SHA256=2B986F2F96019E9A53D63B9AF786F26684641128F65D69EB518B77EB617A5A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893390Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:50.456{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893393Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:51.597{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700B6EF76696B5191F8C48A23E5D01C2,SHA256=38DA6561F7097DB5E1A02A8BB0161822407E4EC68444218F74A1E70B93029EB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030919Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:51.831{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-745F-60FE-A879-00000000E601}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030918Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:51.831{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030917Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:51.815{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030916Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:51.815{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030915Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:51.815{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030914Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:51.815{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-745F-60FE-A879-00000000E601}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030913Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:51.815{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-745F-60FE-A879-00000000E601}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030912Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:51.816{2E2BE06D-745F-60FE-A879-00000000E601}6732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001030911Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:50.752{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57606-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001030910Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:50.751{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57606-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001030909Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:51.253{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E567A6765DDCF30E13BF994D796846D3,SHA256=1064442AF5393E7C5BB01D0DD10EF1C8A24D95D3221218AF9AE170981CB6D713,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893392Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:41.259{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52702-false10.0.1.12-8000- 23542300x8000000000000000893395Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:52.612{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74005C0428F01C9D16F91975A8E0613,SHA256=A4A591B17F5C07D07F931FD3907BCC095BBE0FCA950CABE6BE089B7BAFDB060F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030922Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:52.846{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2D36DF908D15F89B4A25749DC1B93E6,SHA256=742580465B6790569D6DD4B6E8022D1591E62726596391AC70F5CA3760B2330A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030921Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:51.267{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57607-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030920Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:52.253{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2513795FD87CA4B25D7837FBDC1B602F,SHA256=C930006384032DD9E5532AEA8B3ED3173BC2C18C0C728C13A951512B18841AB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893394Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:42.447{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52703-false10.0.1.12-8089- 23542300x8000000000000000893396Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:53.612{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE620F854ADCD4039FFE7F3B44A3A2E7,SHA256=D76D8AF6BB6C2D2087918A5753D7DDCE71B3A9D707F46A39CDFFA64AD04678F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030923Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:53.268{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A5ED7398608708A27FE6F136F2C0E5,SHA256=0D59F42356C0264353922D43740CE8FCF5CB9DBCB2A4B749568B2962A16CB114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030924Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:54.268{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601FA0791AD559CAB5EEA1F7D76C0CCD,SHA256=E8FB3C6085CB2F89CB3C47A5DCE5111E9DFC05BAD23B9DF74C220BEE6B9FBD15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893397Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:54.628{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF20F1E8B67E626C40BAD30F5234E841,SHA256=D240FDCD643C36F3ABF9320EBF286009DDD747794461179DF651090673D74B69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893401Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:45.689{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.7-21137-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893400Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:55.643{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97B8408CA2DFB6DDC9E12DFFA64B326,SHA256=807ACA2DBFBB8C97628270A5FFFFEC115C92BF99AB2584ED36ED68AC6B3A28CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030925Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:55.268{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E5B2BB9BEFA4D0639419A942429335,SHA256=2A8F9C083F2B3C41DCD498F302BBC50E29B1BEF7A5586C90E8B03421E5F7847C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893399Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:55.597{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB4530D1E661F58BCC21762E6C3576E9,SHA256=01DD7ECF13B7E897A17BEBBB9711E11766EBDB4480B89DBCF190F3FB6B048E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893398Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:55.597{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8EE5C864650659FBBEA0BD192C9E5C4,SHA256=9276D01EC23CCF9494997D0304CF2A65AE6F48063EAD6D2EBEC0B51E3465260B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893403Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:47.150{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52704-false10.0.1.12-8000- 23542300x8000000000000000893402Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:56.659{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7884B28379CCDB3626F187F857D511,SHA256=34D0CFE8E7075BCD62D2AD71D737D15055469DB6936AAA4B5CD2B0B1B5DB868F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030927Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:56.376{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57608-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030926Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:56.284{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2AEA2593139E0CA58321D60AEA3A6A,SHA256=EA7DF19309302AC80115BF0A378246E58CA07B313197A8263265529C397EC4C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893404Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:57.660{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CAF9125F9D2426A957B26EF8076F4B,SHA256=666450F96ECE7B337A6B8D57C8573FA865B5C7A8B39ADF90E1C2F733B0135BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030928Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:57.284{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0D02ADFC3E72140AC7CFF726CF4DB74,SHA256=E5326B703B8DF17E20FDAFFC6D6E597F161DF75C1B90638468C816EA30B61D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893405Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:58.673{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B04C153DD8C0E5DF8E440DFE6146309,SHA256=71DF258E598A797D6E6327C3163846C3E972B2CDBC58AA9AE170829627EC41DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030929Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:58.284{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8D59767AF02D3895C5B7218411BA55,SHA256=797BA3CBA2FFF32DE63E44CFC43A29C0B0B223C4D7B6A1227606ABABD4BE94B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893406Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:59.674{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB5B5874ADE11A91FB9B8E193AD50C5,SHA256=6C20BA06D578C2502932E1DE64FAC539ACACAC169808576EEC5DE4E0340FA141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030930Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:37:59.300{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753450BBB28BE0D394F7F4B793EEC8D6,SHA256=683BA7A101F6BEF25A56EDB844D843CF0BDFF510827E96DE9A01890FDC389412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893407Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:00.689{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83414675B3B64542291BE1E18CC12984,SHA256=41A8C6F1593C21AF4D4C40B490067990ADFF7B5AE2865E8465CB4330142257DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030931Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:00.301{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D418A1B3BC2DC7B63CA001BAF065C6A,SHA256=B6EDC2704E13B43F374E9DC1CA4A196D8EFE57735E9276DB4D1983AD4472EFBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893408Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:01.705{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B393082C6C61EE4F4846BE6C16E0E5BF,SHA256=FE5C9F1B11150FAB2B5FF1C9EDECEBAE9BDFA9EC65798476071D9E9195BF7E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030932Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:01.315{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738CD263105024AF50A8E6EA6E9B59BB,SHA256=EAF99F2FF41AD0569A0AAF4128C32947E0D609779D6C734CF0C5D487CE5FA4DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893409Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:02.721{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B85E3199688D9BDADA0B90A5E4AF0C,SHA256=A270C01F823224A31C661E90E53B2972C60E8303BE62C95D1CD816A44E284185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030933Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:02.315{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946171DCDE25289A74CD7F5B636B691B,SHA256=0AF1C388FB53A530B29443B623620B7C2D3412852137AC0F2464424C1ECA0C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893411Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:03.736{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1281774935C449F4F87D811D4C0A41E2,SHA256=9BAA047490A5A1D7F690EA6A3F93AACA0DDB9861747DCC7365F08D59AC74F5D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030935Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:03.315{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C774B5C762E1637A4C13035BD1573C,SHA256=2AB9F5801E25FCE3A1710BD73BE80DEB500D32D0E7167EB97B177FDC1968F1BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893410Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:53.055{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52705-false10.0.1.12-8000- 354300x80000000000000001030934Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:02.252{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57609-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000893412Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:04.752{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566DA28A78459965CE7A1FECB216DEEB,SHA256=EE8871CEE58B123EE089A40520C1223D1EA423012DBF88E6D20781D544392F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030936Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:04.331{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935D6F4E2F708D47CE7347DD650B9E79,SHA256=2EEA18A84318DE1D9D6482F28665CAEB7D99112E29BDEB08CD592C13696572EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893413Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:05.752{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89277C5246192BD06227FB87162972CB,SHA256=CDC3B281430C06C0B57F705CFD51228C6299CDE940B6E01D55D219C36873BA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030937Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:05.346{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2669EF2440BF93C2000ECC2F3A21ECD9,SHA256=2C43D5202DAD6B33FF86C02AF6611073867780A4287CB4473E73D08690D7CA5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893414Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:06.768{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7633E7172BC9A53298E86D9207E405B,SHA256=8C5E657B75F7C5AC05E81B9A2DFF32672654C5F7D7CB95416D303C017F329DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030938Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:06.362{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD89DB8EF6AB9D20FD0BB7B2DF255FE,SHA256=30FBCD82BF1B92E2CCE24FC327EF536EF27EE4FAD7C97B8E00D63295A1463CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893415Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:07.783{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD355B6080E58A9A23113618ACC85EB,SHA256=D1F7FCE5CB8371E60D9CE49096BA6AC41E5B951E23F5B88D18E836B30AE2674C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030940Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:07.376{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57610-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030939Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:07.362{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC90D14EBEF71FFC89D2CB4AE158774,SHA256=8C08CC0D757545CB977BAB2B843ED55AFD0A6A9CA280C8E3D49B34781B8A5868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893417Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:08.799{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D23AD5EB8AC0D2D9FE4FC24905B1DB,SHA256=5D6BCFADF83F91AA1EBB4B17161D5E34A38AB5E125FCA353AD8B60783BBBDF1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030941Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:08.362{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1D1A5C02377CA519BC25A0BC2C7EDB,SHA256=E2079DBDCA151BC99F45086DD1538CC6DCEBDCD1534A5ED2A1F12AA896EAD862,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893416Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:37:59.055{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52706-false10.0.1.12-8000- 23542300x8000000000000000893418Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:09.814{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779F9CC73686CFEFDFE5C1B081A06FC6,SHA256=42F61BDC53A52A554EC7AFFBB7F27CA77DECA6862D7645CA3C4E93F372E8D252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030942Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:09.378{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A25586EA8063180BFA10BF2AAC89D87,SHA256=3D604B0BEA359C8CEEC56E7504EC2D744382A0932114A7579D34E4B75FBE879E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893419Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:10.814{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C164A0537B2ECD5F0E4D3F9DCA4AD36E,SHA256=B9FE559B0653EA583EDE278AC8EAED6D1467786F2A4B0C1043AB220557ECB73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030943Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:10.378{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A93F08BF92E6A886CBDE72F3AA760CB,SHA256=616121CE9B713CD1F43617467F91B6B9E84D8EFD6690FACDE18C46D838A6162D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893421Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:02.565{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse50.212.63.14-49225-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893420Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:11.830{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8CAD1881A6B1EF1AC44CC7652755AA,SHA256=D058F9F3DA4CAEE1AFC2733CDCE446A5BA2490717A834B8545C303A88385F271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030944Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:11.378{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E56F1ECBF90AE577F1D4F71572724F0,SHA256=C238803641773EA0C870721F288FA8D41B8F49D6B2218F5761703651FF367737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893422Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:12.846{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60078E36F943231963734803B7FF5518,SHA256=9CAB7558A71736084E8F0B28CBC6C9D173885A6F9C2AF4F32F028584A4CB4B52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030945Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:12.393{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9CDE4D2A49886656232C11A8D282D5,SHA256=074DBF0CE3E35F129BB6B97BE25285FF4EFB842569914D706D1B363867488BC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893426Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:04.211{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52707-false10.0.1.12-8000- 23542300x8000000000000000893425Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:13.861{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9A560F8F89EF68529B329BCF0BC885,SHA256=B47F31D315E4EBBB1DD2C9DEE91E06A6C09BEA35FD69CE6FA5606F79716EECCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030946Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:13.393{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A60D9BD29ACDF0D9AB88C88A5D6194,SHA256=A72602B344269C29525D1AD2071C343897E3D7687692FBEA1FD92D344E43B91B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893424Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:13.783{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5361E920FBAB5E86273AD6C17EC7E44A,SHA256=49E288AE56867781CA04315F4E24D26CF2A49F7E8BBC7A138110E06F52A55EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893423Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:13.783{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB4530D1E661F58BCC21762E6C3576E9,SHA256=01DD7ECF13B7E897A17BEBBB9711E11766EBDB4480B89DBCF190F3FB6B048E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893430Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:14.877{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CD0D40741303014C7082A576EAAFC7,SHA256=A518E546DC01EAE64D9DE7C71E51FCD57E6659C2051E3C73429E322267B78E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030948Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:14.409{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539AB9D98596C905D9677FAED729ADE6,SHA256=F476F36DB21A250259F86ABA9C13151AAE30B31BE5A3BDBA48A44972E07E33EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893429Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:14.471{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1300-00000000E701}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893428Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:14.471{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1300-00000000E701}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893427Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:14.471{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1300-00000000E701}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001030947Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:13.282{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57611-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000893432Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:15.892{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150D72E822D1CA54DEE492E40E992480,SHA256=0AD3A4C2174EC6EF24B65A04E8DF7F421A6EA2623768DCE64518E033DD9CCC69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030949Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:15.409{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77B08A1EFB1AE973CA1D32D0D636856,SHA256=E6344F1099F4FF82F072CAA4F9EDF086B84D0C0FBE3B3121F6BD8E4DC775B574,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893431Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:04.637{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-1322-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893433Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:16.908{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A89D2733FFA790343F5ED704A81280C,SHA256=9E440AD434B8C64EC3B9843C7298AA2909333FD6F06F5DC39865AB00C8583958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030950Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:16.409{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85ACF4831549CC6E2AB21060EFD53043,SHA256=376A5334921DA52D347684DC75E4ADF0C1A6F80F4213D5B5A7DAA6E8506F179C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893435Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:17.908{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA57CFDEFFB33D4B9A30B63CAC390F24,SHA256=022DE9818D57D67884F7067AA1A827194E09D9217469119918CDA1CC55B0016D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030952Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:17.925{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F52F91ADD1A2F2C9DEF207151A4A017A,SHA256=067ABA892D20BBCAAC7B06E0C72F937FDF79BFE7F6B1577E8EBC332C4856FE6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030951Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:17.409{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D8535EE3CA6B8651AE47BAD881B0B05,SHA256=74B8FD1C5DAB258D2DE427F34B52C7C28D3244F01BBF1D2DCFE33EDD1E79D64D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893434Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:17.846{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5361E920FBAB5E86273AD6C17EC7E44A,SHA256=49E288AE56867781CA04315F4E24D26CF2A49F7E8BBC7A138110E06F52A55EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893436Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:18.924{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B154C1D4433D9C7651BC00BBC0CF12E,SHA256=2922E5006100365312C52C3584343041F5E803733E3810DB7D8E2EC0FA2B3AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030953Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:18.409{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620FE04D52F54830C10FCD9A389CB0B5,SHA256=9D52CADE443CFA4610225FEC48023D331916101E7049BBF523F0F017C830E8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893437Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:19.939{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B562BF61BBB5F6533F03796362C847,SHA256=317484CFC1088010C7C9E90DA1802871BB2CBCE71AD9522785D648A398C3760A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030954Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:19.409{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E167EE33F6FA6B1D0F53251E4524B800,SHA256=E03BE4640AD54DFEA4BEEFF052E33EA5BB3A82682F16BEA0A77F69E124E6A9F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893439Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:20.955{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F33178F950587B9E4F218BC5F80FF76,SHA256=F54FAC07AD7BAB2E013294EF8E4D3DB4222FAE58ED2AAA487E5501F4CDE2B824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030956Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:20.409{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1957C5CC3FE87050ECC9461162B751,SHA256=DDF41F44AC28508453D08856B59E44AA3DC5037408746A485D0AB334E673ABFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893438Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:10.195{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52708-false10.0.1.12-8000- 354300x80000000000000001030955Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:19.204{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57612-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000893440Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:21.971{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB0D2C22202C197A1F8FD68853B042F,SHA256=DB5C34534AF48D74A1B3A85B97334AC603A0D546F1F5D999816807BAEB2D15AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030960Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:21.425{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF4739EB86620A9611524677717C7E4,SHA256=0CD966289DCA5BC33916AF8E5A5CFD3DF6C4E9127A2A8664E02CE776942DABD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030959Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:21.409{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030958Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:21.409{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030957Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:21.409{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000893441Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:22.971{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F4F5D6DD4D446ED14B3E4A705197D6,SHA256=4E5542F5F8D164F5FA252696B9044A1CF81D4F45DDB453DA817A78C980A37241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030961Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:22.425{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FF6BCF38708A0B54DB0DDF4F7FCA6C,SHA256=3018E3BCCBA7FFB7AF19FBF81FC796EC3DEEAFA8B024BA26C6293F5C06659168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893442Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:23.986{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9F24C436C5729395C1128634F773BE,SHA256=1165F18C29B2DADF42C1E05B502CA4BA85362D5098A23C1EF1BC619CDA34B5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030962Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:23.440{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68804BA57902AE4AC00F1A2A90D9BEA,SHA256=587167456FB48C6D7AA8B793F926D040C2A6C462A9ABDAF45C31DAA7CF1C4651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893443Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:24.986{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A186E0EA128C23EA7F0BE5972D24112D,SHA256=8BD791EF7610D329876FC022FB43D71B43C1762A1C26D715ABB1A4CE72F466E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030964Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:24.456{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B5CC7915AB487FB5CA6FC7900B8153,SHA256=F05C549DFE7ADF587219CDF6510DA188224222D5371D93F5C4F9ED9225B60C1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030963Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:24.314{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57613-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030966Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:25.458{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB7D4033B990C24A69B3B7238DBB7033,SHA256=183C1254CFB0C80217FAA7AFA9DB1C35551846322335FD61339E52AC93F5EF58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030965Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:25.302{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030969Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:26.833{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31ACDB7441C79D64899B240A2D3754BF,SHA256=CD34F776815DE0583E7A3B492C28D71655DE33B2F6534945328D49F54399C09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030968Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:26.833{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82FD49EC581A9082BB4FF4D1EE2C5548,SHA256=B64D9971DE0E0A9A247041159AFE3C0D9ADCD5F50195837366A980C4428222AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030967Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:26.470{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E9939B5A6739409A78C69A2022323C,SHA256=DFD211062DC25784510F618465FF98947AFC74DCA015D0FCBBD2835D15F2A67D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893445Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:16.132{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52709-false10.0.1.12-8000- 23542300x8000000000000000893444Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:26.002{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D64B6725D45CF4BB7C513461D02B348,SHA256=43EEF96472BA8C4972F7FEE2BD50021761E7C8E1F992DD01189EEE63E16D5539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030972Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:27.474{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68716F6D33CD756DDB45F317274150C,SHA256=DC20CEDE240750E4F2B781AC3F3A6B1E7F89ABE5BA943D64ABE1C77F8AB889B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893459Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.971{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7483-60FE-1279-00000000E701}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893458Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.955{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893457Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.955{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893456Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.955{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893455Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.955{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893454Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.955{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893453Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.955{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893452Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.955{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893451Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.955{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893450Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.955{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893449Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.955{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-7483-60FE-1279-00000000E701}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893448Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.955{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7483-60FE-1279-00000000E701}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893447Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.956{D94AFF6C-7483-60FE-1279-00000000E701}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893446Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.017{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BB85491CB227FFA4C3C80E2599CE74,SHA256=2DE56F07C69D020CC532720DF129858647913018F24C631C527EE502FBBD6A33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030971Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:26.465{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.7-43332-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 354300x80000000000000001030970Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:26.426{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57614-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001030973Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:28.473{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC789B3588659FCAD74FD4FB1477D7F2,SHA256=657AEC5931693CE0224439B2B5DB1CB7D81074B30EF0F04655E7F90978D7063E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893474Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.611{D94AFF6C-7484-60FE-1379-00000000E701}4361456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893473Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.502{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7484-60FE-1379-00000000E701}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893472Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.502{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893471Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.502{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893470Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.502{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893469Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.502{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893468Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.486{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893467Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.486{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893466Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.486{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893465Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.486{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893464Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.486{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893463Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.486{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7484-60FE-1379-00000000E701}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893462Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.486{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7484-60FE-1379-00000000E701}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893461Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.487{D94AFF6C-7484-60FE-1379-00000000E701}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893460Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:28.033{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AF62871A4375327F968642837C9259,SHA256=B8EFE9140BF70356B32BBAA87F7C7B8B321C31305D16F68A61282B717227F4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030977Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:29.958{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31ACDB7441C79D64899B240A2D3754BF,SHA256=CD34F776815DE0583E7A3B492C28D71655DE33B2F6534945328D49F54399C09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030976Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:29.473{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D963C0E471E9DB0B7707D6A126CA0E,SHA256=1FB489E9B23598DBA6BFFD406B6861D5F778500CB12DB0455B5046A193552A9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893503Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.814{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7485-60FE-1579-00000000E701}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893502Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.799{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893501Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.799{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893500Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.799{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893499Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.799{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893498Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.799{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893497Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.799{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893496Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.799{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893495Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.799{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893494Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.799{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893493Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.799{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-7485-60FE-1579-00000000E701}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893492Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.799{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7485-60FE-1579-00000000E701}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893491Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.799{D94AFF6C-7485-60FE-1579-00000000E701}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000893490Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.127{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7485-60FE-1479-00000000E701}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893489Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.127{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893488Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.127{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893487Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.127{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893486Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.127{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893485Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.127{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893484Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.127{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893483Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.127{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893482Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.111{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893481Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.111{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893480Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.111{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-7485-60FE-1479-00000000E701}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893479Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.111{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7485-60FE-1479-00000000E701}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893478Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.113{D94AFF6C-7485-60FE-1479-00000000E701}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893477Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.033{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4D045CD7E01FC8A3CE727A6A7D1180,SHA256=7AED5EFF224568FEB94CB9585EE495F29ED0A2566176BFD983B66D816EB7DD2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030975Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:29.363{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57615-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001030974Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:29.293{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com31454-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x8000000000000000893476Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.017{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=491F0621BB4BAE633CD795075829E0F6,SHA256=B8315F4C7BEB70FCA83FC2C478EA5D28E12FEA8410C5DEEB850B2FC6C3AE6BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893475Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:29.017{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0A32B33561ECCF15BF2859C48423EAD,SHA256=B1AC85BAA1777C8A0C20FB89B804649F22AEE1457881C461327517C6998AFEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893505Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:30.252{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B70F1A4FAD9F23254DA9B11C48A24E,SHA256=8A0065FF33A237F6D0C5BE581A1E073FCA9569DB883DDB5A09C8BBD76298FA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893504Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:30.252{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=491F0621BB4BAE633CD795075829E0F6,SHA256=B8315F4C7BEB70FCA83FC2C478EA5D28E12FEA8410C5DEEB850B2FC6C3AE6BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030978Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:30.489{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF06D75B22E19E51B53000415DEE3DD0,SHA256=3AE4A925E513B58903553F2F9CDD1D4829D0AB616AE3437977EA04DEFCA79B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030979Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:31.505{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D734AAE29551A70548D65E3EE91FCD20,SHA256=17F4C09005C99E6181D923AE66BCB44713FE27A002394C61A4242C6C5D6D072D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893506Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:31.392{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD650657CB55C312B86B03A1E658AEC,SHA256=0720E074AB30BB963DF65FF0D9631B4BB18A24593F736DEE0AEDDC97F9C91B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893508Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:32.392{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B669A7A90AD063C11842898CC72F47,SHA256=D80FC62F07111498AAAC42F4F189B0CA3720EEA4B4C139155D178AD2E913C2BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030980Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:32.505{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5661A05F2C443D1642D511DADDF9364,SHA256=2B51578F1C1FA732999C67FE79B6DE37E93C038BC88A28CFA9DFCA6910988867,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893507Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:21.257{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52710-false10.0.1.12-8000- 23542300x8000000000000000893509Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:33.408{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205CEA5B93158DB20F5374AEAB6281EE,SHA256=550DECFD79A20095711FEBDE7A930E15E7FFB855D87EC4B174B826169F92184F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030981Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:33.505{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6F0D9B40AAF33F0EB31B0384C934AD,SHA256=066654A0E4C4B51E06C10D08D6E2D67716AC9526CE9C5BC9601BEA5CCD89F8BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893510Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:34.502{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCB5C8197B5ED50CDCE19293C9D0059,SHA256=580E086C91BE24FF920F1DFA817836CAFA94EAE678EC51608D60D503EAEE1036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030982Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:34.505{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0BE9434755F6F3E73F2DB78D0319D1,SHA256=4FDDF5723E47A52F9816E0F263305B93BF4200207A030B3810A2D47E2DAEB478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031015Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.802{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0261B80E8CEDAE3C22A6BAEB1B7DEED5,SHA256=AF19C602D4904A63ECEDD0AC06F41C99AE8CF762970DE09BD49A1EF5E81D8A7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031014Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.285{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57616-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000893525Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.580{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DA6AC62DA71EE15422269513AA8C51,SHA256=FAC6D1EDD031E0491A309B8A21D0C9AFED65B7714DCC9350D6B19F3CC29132AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893524Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.564{D94AFF6C-748B-60FE-1679-00000000E701}22763128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893523Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.455{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-748B-60FE-1679-00000000E701}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893522Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.439{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893521Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.439{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893520Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.439{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893519Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.439{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893518Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.439{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893517Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.439{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893516Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.439{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893515Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.439{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893514Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.439{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893513Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.439{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-748B-60FE-1679-00000000E701}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893512Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.439{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-748B-60FE-1679-00000000E701}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893511Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:35.440{D94AFF6C-748B-60FE-1679-00000000E701}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001031013Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031012Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031011Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031010Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031009Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031008Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031007Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031006Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031005Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031004Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031003Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031002Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031001Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031000Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030999Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030998Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030997Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030996Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030995Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030994Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030993Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030992Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030991Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030990Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030989Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030988Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030987Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030986Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030985Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030984Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030983Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:35.473{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031016Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:36.692{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EE11F5CE2AF9F1E1390B42F9FB0014,SHA256=264676C09A5329D38E6132CA0C6896ADA937AB74C94CAD7B429037FC69CCE060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893528Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:36.611{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D135D0E67D0017A08C7BB2B36B81D8CF,SHA256=392D0F1A43E55EF0E153F666057034B6AB87266C9CE5D601DF43B9D3D949A24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893527Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:36.502{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF0B229E40EA369D4B60557587A06B6A,SHA256=D7CCAE8ECD53B2AF7D542DEBFB65503BE48BC9551B94ECDBFF52456E67AED53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893526Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:36.502{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9669BC309B7B5B8A8559F38A6D3C060,SHA256=1C5992FE094362FCC4615CFB376BE8A9E05B5EF9097C7323AC843139D4BA6DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031017Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:37.911{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012B48F78871464EC39ACE0EE09F8C9B,SHA256=C9E57DCA5A2F7EC20EC074974CB996D89AF0822C35006B8BC02333D8EEBD8B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893530Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:37.642{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB600D536708FFB9E97E2AD49330A96,SHA256=F8107012A2ECB0DA97692304CB6DFAB539CE562EBF4E37BD0C1B324F6BA19770,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893529Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:27.179{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52711-false10.0.1.12-8000- 23542300x80000000000000001031018Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:38.942{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9BE88F6FE67D3FDB3896050A4F7B7E,SHA256=DB4E6729AC2250BF610F2330182CB87B33EE14BAD1D73468A6B89DBC4CD4DD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893531Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:38.861{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8576DE3C472DD7DE6533CF2B25DE5F4,SHA256=A19153E2ADE146EF336C31762998E54650B8FC8ED338BFD7B566523C0ECDC60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031019Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:39.973{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A806F64558DD9593490E036FD3E5486A,SHA256=FD783722D0384D9C27EAE8B11483A0EDB99FA63D6775EFD2F442ADFCB7DF47FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893546Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.892{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF0F6D6654406FC2D7E3EBDF14350F7,SHA256=107D37BFF162A1F0AE7C231CD4E866EC8BE27684695ACC1735189A89316599BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893545Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.642{D94AFF6C-748F-60FE-1779-00000000E701}25683520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893544Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.517{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-748F-60FE-1779-00000000E701}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893543Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.517{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893542Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.517{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893541Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.502{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893540Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.502{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893539Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.502{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893538Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.502{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893537Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.502{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893536Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.502{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893535Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.502{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893534Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.502{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-748F-60FE-1779-00000000E701}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893533Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.502{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-748F-60FE-1779-00000000E701}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893532Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:39.502{D94AFF6C-748F-60FE-1779-00000000E701}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893562Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.955{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE508EA12E86EC87E8AFC1B2B3FBCB6,SHA256=C659ADFFD0CB8131EA8E769E05A5EDF1D94AD02521ECA312DD69BE774475377B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031020Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:40.973{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DE3E0AA9E4327F26FB6C85911E4D29,SHA256=54C8C4DD16EABDF9F24932774254F77406CF4E18ED417D944405906FB0600F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893561Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.517{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF0B229E40EA369D4B60557587A06B6A,SHA256=D7CCAE8ECD53B2AF7D542DEBFB65503BE48BC9551B94ECDBFF52456E67AED53B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893560Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.174{D94AFF6C-7490-60FE-1879-00000000E701}24243180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893559Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.064{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7490-60FE-1879-00000000E701}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893558Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.064{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893557Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.064{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893556Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.064{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893555Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.064{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893554Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.064{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893553Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.049{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893552Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.049{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893551Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.049{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893550Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.049{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893549Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.049{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7490-60FE-1879-00000000E701}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893548Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.049{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7490-60FE-1879-00000000E701}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893547Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:40.050{D94AFF6C-7490-60FE-1879-00000000E701}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031022Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:41.989{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66BED2017367F394F41D8A6B67B9BFE8,SHA256=000099D13E10F3687C74B19C7A8B02E13CE65F135AFD70993EF0264BA341106B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031021Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:41.160{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57617-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031023Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:42.989{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4804CEE436C26C8807A676A2BCFFC22,SHA256=6AA5368204F725E3AEA32DB24F8DC9AE2077F9B9C6F8E3535155BCA8B177F8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893563Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:42.205{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7392681D4BBE406FBE59795B311E8C3F,SHA256=05EEA25B67BCD94FAAF96E6BD51EA39F7029861875FB40B96C18A0CAFB7AF217,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031031Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:43.880{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7493-60FE-A979-00000000E601}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031030Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:43.880{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031029Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:43.880{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031028Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:43.880{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7493-60FE-A979-00000000E601}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031027Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:43.880{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031026Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:43.880{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031025Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:43.880{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7493-60FE-A979-00000000E601}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031024Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:43.865{2E2BE06D-7493-60FE-A979-00000000E601}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893566Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:43.924{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F2BA67387FD14D58634DB65C36EA9DF,SHA256=D94707476E83C540DF18F722F6B839C7DFEC7C7D5AF88D15439E1A620B98A794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893565Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:43.221{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AE7CA5585815F92D556D157322B72B,SHA256=9C9C4AAF8C6AFFD71D19B9D586B47183455D7BD51DEF62F32890B0230A470593,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893564Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:33.069{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52712-false10.0.1.12-8000- 23542300x8000000000000000893568Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:44.236{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94903DE4A324C0499B1C0D867E1E14CE,SHA256=9E0D13BF77AB4A9A7A682C9BE926F6531A99CEC20D85F34E7ECA2D6986210332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031043Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:44.864{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F1624F00562421E90CF0C2D80DFF529,SHA256=F1C93AC957F3F04D1F2EDF7964E4FEAAA882348A0CDF447363C04138EF6B5194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031042Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:44.864{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A47FEC38C55311A4C3B6A1C14A4C3CA,SHA256=E56CAEDD204273285892ABE062C6637C4E3614F0E844D960F974AD23867B7133,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031041Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:44.411{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7494-60FE-AA79-00000000E601}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031040Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:44.411{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031039Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:44.411{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031038Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:44.411{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031037Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:44.411{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031036Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:44.411{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-7494-60FE-AA79-00000000E601}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031035Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:44.411{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7494-60FE-AA79-00000000E601}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031034Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:44.397{2E2BE06D-7494-60FE-AA79-00000000E601}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001031033Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:44.192{2E2BE06D-7493-60FE-A979-00000000E601}4624288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031032Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:44.005{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E3B958B348FF8C6C07617C17A687F8,SHA256=E899976E03689ACAD8F3E064C8D2F9C859E3F8322D19FE792F27950FE583786D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893567Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:34.675{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com51170-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893570Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:45.486{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=06F930D7F179A6EEC45FC112FC81A7F1,SHA256=09BB6AF759CE21579512EA17BE21A13CC3701969BDB4EB95BA4385FFEE074AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893569Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:45.252{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B615616E852C2E2E580BDEECB387D61,SHA256=A61F521EE934D615070A2EEDAD708841D10590545B5C23504F1D27DFE9F08BB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031062Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.911{2E2BE06D-7495-60FE-AC79-00000000E601}60486612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031061Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.723{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7495-60FE-AC79-00000000E601}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031060Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.723{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031059Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.723{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031058Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.723{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031057Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.723{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031056Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.723{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7495-60FE-AC79-00000000E601}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031055Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.708{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7495-60FE-AC79-00000000E601}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031054Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.708{2E2BE06D-7495-60FE-AC79-00000000E601}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001031053Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.255{2E2BE06D-7495-60FE-AB79-00000000E601}63366560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031052Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.036{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7495-60FE-AB79-00000000E601}6336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031051Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.036{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031050Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.036{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031049Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.036{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031048Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.036{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031047Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.036{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7495-60FE-AB79-00000000E601}6336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031046Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.020{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7495-60FE-AB79-00000000E601}6336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031045Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.021{2E2BE06D-7495-60FE-AB79-00000000E601}6336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031044Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:45.020{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE68178D4208776F87E761F405A2C8C2,SHA256=7611D7AEEF9392724E726534687EB3158608CD0213BF2D0ABA28B0CF873C72B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893571Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:46.252{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B0ADC0FE7E8ED2840EF6ED2F608988,SHA256=C63F2354D5A291D278DB8DB84D9FBDF29C578B7513BBECBB84C1A0031627959F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031073Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:46.331{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57618-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001031072Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:46.411{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7496-60FE-AD79-00000000E601}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031071Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:46.411{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031070Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:46.411{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031069Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:46.411{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031068Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:46.411{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031067Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:46.411{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7496-60FE-AD79-00000000E601}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031066Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:46.411{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7496-60FE-AD79-00000000E601}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031065Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:46.396{2E2BE06D-7496-60FE-AD79-00000000E601}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031064Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:46.192{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F1624F00562421E90CF0C2D80DFF529,SHA256=F1C93AC957F3F04D1F2EDF7964E4FEAAA882348A0CDF447363C04138EF6B5194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031063Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:46.161{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6476DB4D496BCA08F8F7CB5BD470EA0A,SHA256=158798E210BFF394271CDA748EDC22E0103431F3ED6DC429F5F1B2A32EA634B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031084Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:47.395{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A76D12A6F620D1C5D08CCB8B9C1B683,SHA256=76C5ED1965954162369D60E255318D937C7EFD873D367A132AF6BD24CEB52C5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031083Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:47.348{2E2BE06D-7497-60FE-AE79-00000000E601}33605024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031082Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:47.161{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E17EB674752A754CBFEF2D5D24128BF,SHA256=C010B52B801E7787A66017CE191E86E0DAAEC0F7594131254D1CE6160F29EB95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893572Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:47.267{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4B87A5B6115C54C611D7685DDA5DB5,SHA256=0D6AFED0918383C3544B7A317F21240F8A51FBD99973EF196C5DFDBAC2E89500,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031081Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:47.098{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7497-60FE-AE79-00000000E601}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031080Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:47.098{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031079Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:47.098{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031078Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:47.098{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031077Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:47.098{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031076Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:47.098{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-7497-60FE-AE79-00000000E601}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031075Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:47.098{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7497-60FE-AE79-00000000E601}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031074Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:47.083{2E2BE06D-7497-60FE-AE79-00000000E601}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031085Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:48.177{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E598F1A580E641E634C2C15BC7F22E60,SHA256=D58443B0051677BC49B2EBFA35493A6697ACA418674D5B92309F49850CD0E7EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893574Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:48.283{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B11B40C9E8D26E9248CC3F2EA4961AE,SHA256=1CA74B9F4AAD86B10196832F547398EDD285187358D7F67F782C9A1F8283B57F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893573Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:38.163{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52713-false10.0.1.12-8000- 23542300x8000000000000000893575Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:49.299{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA93FE70C4DA75D3C417926FCCD33CE,SHA256=710B2DFDC4A28BBA69FC8EDBEC4D00CD58694E3C167F53A6157FA47A519D119A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031086Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:49.192{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6AF71DCBB828B95A99D725B8DD7265F,SHA256=1C44FD30BF00EA01CF613A24673AF2CC759FC8DF0AA0FFB83922ED8F521582D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893577Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:50.486{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893576Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:50.314{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1500FCF63D2270D880389876B40234FF,SHA256=3B4AE5E5E458D4A0FEADB74BD5C21CBA2ADC82F08190C04C67A2146A283905A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031090Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:50.754{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57619-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001031089Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:50.754{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57619-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001031088Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:50.614{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDA147B0BEA0B64CB6CBC741BCE8838A,SHA256=35C4DE72CF0381EA36939952FFF47E9D9F28D6C27AAF66296C464DFF5D7D276D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031087Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:50.208{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FBE357C33326D72CBB298373B16D628,SHA256=6EF6CE9007E29702518403157261019BC50CD6AAB02DBE2E58D740DD38057944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031099Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:51.848{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-749B-60FE-AF79-00000000E601}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031098Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:51.848{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031097Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:51.848{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031096Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:51.848{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-749B-60FE-AF79-00000000E601}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031095Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:51.848{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031094Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:51.848{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031093Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:51.833{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-749B-60FE-AF79-00000000E601}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031092Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:51.834{2E2BE06D-749B-60FE-AF79-00000000E601}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031091Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:51.223{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D148B6CB5BA0FFFB737B824EAA8E15E,SHA256=7D1B935BCB22A7B3763C7332CCFBBFF29455294B4570A709A41112D926022E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893578Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:51.330{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3336F0BC632DF3AE0A0E4DC839B17C83,SHA256=77B26EF001F8FD8E1461B4DE053AC9365D3E8A5FC60CFCB25C44D3FCBCA6D560,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893580Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:42.475{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52714-false10.0.1.12-8089- 23542300x8000000000000000893579Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:52.330{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BE9FE06107E28A2808AE9636D02FB5,SHA256=AF709E653894A05E0E8ACEA16FA9CA0430D1D4CE84790E45D0D8A0CB54C90ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031101Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:52.880{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B46CB6A18A9F64BD67D0DDBB1D555084,SHA256=247505FDDAB3DBACCDC2F1171E440F62082CC382E58EED36412676851881AF97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031100Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:52.270{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5FB088CCC9515793257357F2966493,SHA256=AA2BC0CBBE5E19E3B9608C2F8E62F0901E32BB7FD36941CE3A6B8048E686421A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893582Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:44.053{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52715-false10.0.1.12-8000- 23542300x8000000000000000893581Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:53.346{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B46929AD74E16CD4003F1917C48797,SHA256=42546D90B8655E08A4414F48D99C0ADE079E9D70AAFA931F54B8ECD6F7751708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031103Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:53.286{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3266969B460D9EA77D03E300E6369642,SHA256=AE95D18847CDBDB2BB311D1E8059FF2390A3065F546CC2B5C7DA289CBAC7C611,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031102Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:52.301{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57620-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000893583Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:54.361{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF91286DB1F32F41152EAE3FF2F9089,SHA256=0825DFC0CF093E710D997A9D7F2DC3ED6CBA383C782C81C9198276E3DBA4BB5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031104Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:54.333{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92599FC3EC2A7FC1919D9923F4CC2BAD,SHA256=432578F5D8D719BBB47C38C3DAE4963013F0F08832C802A70CF304ABF28D9A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031105Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:55.333{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33EC9B82EE6BA2489A4B5374ABBD9233,SHA256=BB3555C031B61916F2E7A276846F08F5BD15A3AF8B4EA97AE9F0478153720C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893584Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:55.361{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4616629CEA6047F9EB93C348D6BD3C7C,SHA256=709E8042AF6F4E26BA14398E51FFF4689B584BB52BEB29D5F251BC26EE15F72D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893587Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:56.580{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BBCF723141D36614BBAC7B3CB3D9046,SHA256=321B5D03E3EEAEB8C121E93CF29DF8E9CA95A4AB74BF7EFA45D2E0B17FB45958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893586Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:56.580{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE41F2BB6916C13F7BD1CF0A13B48609,SHA256=2ED91E2452EA715C17957EBD2CDF7C51DD841FB935D2E257C6DC0CA7A7B4EAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893585Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:56.377{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC7E48663EB01A4A2D4F9155C81AA60,SHA256=D40F0BD73FCC80E0810C6E21747A812ECBA1EF73B6D0A5DA421F9F29E66BD804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031106Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:56.333{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DDC1824BC7916F7634991BF81BB7C02,SHA256=AC4F8820FC7BC2BD1550EE5BEBDB46F9D842C9F8AB7D6AA806DD71451F3922E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031107Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:57.380{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465F6068F87D45504402793525A08A3D,SHA256=F91C3B3EDD89EC578708B1654EFAEC7858AF8137A358DC1954E37A906C368D2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893590Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:47.976{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse165.227.69.223-50932-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000893589Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:46.980{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.227-61423-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893588Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:57.392{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A64872CF35DE0581B39B68831B68EC,SHA256=84002B23DC9A9ED6AB86CFADD9F4ED219285756422C0653C29B418D05BB25F5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031109Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:58.395{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA571CEF11B85AF9BCE299B5D90BD38B,SHA256=A0C1A0474994C717AA053EE2067DB859536302C42C041DD94D90C0CD19EA90F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893591Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:58.394{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA86E4420F9B903C2647D82CE01E8B5,SHA256=BF9BF22ADC60B1A32BDC8B60BE5B26A54D2D09D876A5704EED2351E99205A985,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031108Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:57.363{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57621-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031110Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:38:59.426{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485E1C2CC630FD08704EA6B0E7C7DFB7,SHA256=6D3A9EF70EB97531E59F57AB336F8553C7DDCE37A16B059B5C348B8A8475994E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893593Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:59.406{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A60C2833B6032208398018668CDB46,SHA256=76AC0B2BCA5DFA4798C3F5259F3AF932EC6602688E1CE946BF26D32C4A9058B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893592Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:49.178{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52716-false10.0.1.12-8000- 23542300x8000000000000000893595Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:00.407{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAE4793CE5C4A5478A239DEEFDA8FD4,SHA256=8814538A43CC2D283AC5CBEEE8C3A40C74E495D1323F77BD822DF7200A5BCD97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031111Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:00.489{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16311EA54B8BCE69379E8E13D1FE04A5,SHA256=A736FFFC3A8A7C84AA7065A5EFDB84ECCAF53D0F030E5B2C83B1133C182C4A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893594Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:00.079{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BBCF723141D36614BBAC7B3CB3D9046,SHA256=321B5D03E3EEAEB8C121E93CF29DF8E9CA95A4AB74BF7EFA45D2E0B17FB45958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893597Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:01.423{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3622AC3ACE89D70856AADB394B6A6C9F,SHA256=3086B6973D4CFEEBD2E74C899A8FA56CBC0C41FD1DBF8829F47884D991B2B16F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031112Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:01.505{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4025520E0884ECA37E617B203398C3E9,SHA256=FA6DE1A3FDB8AD555CDE9F69AE36571A0174B3A9D3EF6EA92409F21A9F8926CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893596Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:51.265{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse136.243.129.221static.221.129.243.136.clients.your-server.de55477-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893598Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:02.438{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE8BC73CB2541A635B724B4D048F8E2,SHA256=35B558F11FCB34A3080AA2A3A6841CB045BBC5577FC1705A9B69CC9C37E1AFFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031113Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:02.520{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6373EFD1D9C905B43D7C404EDDB953,SHA256=E81CAE93B8C8E849BC396005EF5DABD883E84C08E43C10E1DAB33FD563F154F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031114Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:03.536{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2998B9D8285C4037083586AB864136C3,SHA256=281E036626FDA19446BE2EF3153A0D6A6F8D75ECCD6D6BEB33EAC4D9247074C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893599Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:03.454{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F1D0FCEDBC767F023E106A77D0ADF7,SHA256=F8BA79E1BF41CD7874672380A2E1B1A95057D06C478AFF7E87F54063342C2A0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893601Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:55.115{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52717-false10.0.1.12-8000- 23542300x8000000000000000893600Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:04.454{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC7257B660E50317FDBE03B6D3E4C48,SHA256=F6CE1F4BEAB54DC4663B34AE009B9ECDF5B5BDFECB50E4FAB35895DE4DB9956F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031116Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:03.285{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57622-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031115Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:04.551{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163ECA9908B3ED022489E3454EDA6182,SHA256=CCFF2D75E11BD1AC54739658C6BB30E0B9EFAE3ED5C861F37CD829FD9885102D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893602Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:05.470{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614D1DE13358A74DF0E665791723BDE6,SHA256=E2ED8E66FD176ACF13DDC65D3B79E92DDD081C67DE958A32FAE7917E108862D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031117Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:05.551{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F8F2704F5B5D09F51E78877B3400B8,SHA256=9F84F77B532EDD65DF3B1806CCFB5B0B592347F56681D6A22FEB5674A8E09DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031118Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:06.614{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237CF485C6E9CCE3BB57F4A3396E5C98,SHA256=29A96D15E6C051718F9FFF97E9867E35A814A464106A755B1A0B338DB9AE0BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893603Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:06.485{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E980B4CD3822EE032277F5B83F930078,SHA256=7C1C950C2D238C1401BAAC943A04D1938BAE24D78BA48891E3993E5A3B00AE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031119Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:07.630{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178B7E45815E8F918CE568979C1841F7,SHA256=E97887C8E272E37995D9E4C344983C12B08E8658960B528D2AC6B1EFF5E79207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893606Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:07.501{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9857429D169B65DB60F65DF0D344FE3A,SHA256=0BBAE8C77E15E9B69E0CA71D047137954111DD9CE1756E01500C7496FEF7F6D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893605Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:07.188{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=387458EA66460461B718026B05823FF2,SHA256=B88BDA8F50F238B7C2A926A61A28F4441A81B5DD74387D3628CE003297818EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893604Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:07.188{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=994BA6EFB40937981B646065FC61209A,SHA256=4A7B3DEFDAE6E87CAEF87D94C70C2E8197C4203B9379DE336323347159BD4941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031120Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:08.630{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8113A79BE86580FC11A5F4F0875335,SHA256=3204DE19980D56A859343C5E794D5EDA24EA59E7A516D22BEE3EF3485AE6C2CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893608Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:08.517{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D820C9C51C69FDC2E6DF527177183B27,SHA256=39E4C0AD9E0382D4B974972E114A18E0982351384E80B514434C304FA7044B05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893607Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:38:58.042{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-14428-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893609Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:09.532{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371D47B21A3ADAF433D0D3570C81755A,SHA256=FDC2DD1B0B9DA94618E72E9CA3BB630B07C98B37CEB53D9665FC5667E49504E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031122Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:09.739{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC2319B505CE1F5E8D570A8B50FC8C6,SHA256=37116FA1E1DC896A61697E763A273DA0122F00242C9DD4256015E2844218DBFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031121Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:08.394{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57623-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031125Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.786{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A3928708EE83F3F2F0209E61D7FEABE,SHA256=A24CFB8CC88CED2A0B7BC51B5B74CEBA96A44D443D51FB4DA4452C236C8D7DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031124Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.786{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C24C759355031DA5B7AC92305F614F5E,SHA256=915C7CF92362E81528957D9191C87E570B029BB40166740CE4DCA44892A81D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031123Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.755{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2DFA899CA1933B9F7A11A830C71B42,SHA256=11DE4365EA1068E353386C2D6797A818924DDE3C252E800D7BCF596CBABA3F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893611Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:10.548{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E675EFF242C69AA1E3F9D92F995A8E,SHA256=1EB5FF448AD8ED30E92031EFC658C6E841725DDBAFE2A71744C0860C610D0287,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893610Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:01.036{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52718-false10.0.1.12-8000- 23542300x80000000000000001031143Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:11.770{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D30EE7B4197A6FCA6D13C26A96FC21,SHA256=F7B9287665EDB27C95AE8026F826F23648BC8AEE07CE4CFD6E336A1AD0CE8DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893612Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:11.563{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74204322F8CA7D278E0C7881D6E0663,SHA256=2588E076D7BEE3EDEF13D7CA382BCF8C3A5789F269AC7589DFD2FB0D845D6861,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031142Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.932{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local49777- 354300x80000000000000001031141Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.932{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local49777-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domain 354300x80000000000000001031140Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.931{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local54450- 354300x80000000000000001031139Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.929{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local58709- 354300x80000000000000001031138Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.924{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local52745- 354300x80000000000000001031137Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.914{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local53565- 354300x80000000000000001031136Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.913{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local52506- 354300x80000000000000001031135Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.911{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local49789- 354300x80000000000000001031134Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.910{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local54810- 354300x80000000000000001031133Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.909{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local64796- 354300x80000000000000001031132Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.909{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-56.attackrange.local64796-false10.0.1.14win-dc-56.attackrange.local53domain 354300x80000000000000001031131Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.908{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local64796- 354300x80000000000000001031130Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.908{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local64796-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domain 354300x80000000000000001031129Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.897{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57625-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local49666- 354300x80000000000000001031128Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.897{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57625-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local49666- 354300x80000000000000001031127Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.895{2E2BE06D-6DD8-60FA-0D00-00000000E601}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57624-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 354300x80000000000000001031126Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:10.895{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57624-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 23542300x80000000000000001031144Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:12.770{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4DAC127471BD5EAE5931BC3B43BB12,SHA256=D199D25D0CE5C25959DB1535A08FD5CC4D29C0117FE620D7EBEE0FC5BDF08C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893613Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:12.579{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875FB29E9E9F200D65A681A1339D2137,SHA256=15C9D7A6DFC86213BAA30DD0044684B088234901F522521947D2CAC163359A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893614Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:13.595{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9E083071BFBF1BDB26EAAEEE7355BB,SHA256=A8DF0B078A5F86E341A91535D54D064BA13A77EAC95E2AC635D45CBCFF8CB830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031145Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:13.786{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474E3B00D21858E5DE401D82A220CD55,SHA256=B1600444483C83DD014A7CC96FF5DC30E053722C44120F45D40695C7E030F092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031146Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:14.786{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF89ADE5750D5013D306BC7ADC02B2A7,SHA256=E6E2016EB5AC7B6CD02AAA7EADE8A36785D775B52E6E0E317EC7E3AAA9F954D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893615Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:14.610{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE661FC09CE79929D30B5C37D2D97E12,SHA256=99604196C844A4F45C202B84760FFED8F78AE5EC53D6B9979A53FE52E80C6AA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031148Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:14.301{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57626-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031147Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:15.801{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6362D039A129F2667516F4978EB54DE8,SHA256=A93A1ADB308DED38107A2CAA94A4763C184C40CA15F62603E2658FF919EB4C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893616Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:15.626{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A5FC17DDE721D510F0DFED0EF77FB83,SHA256=F630CF02C1EDC70DEC55C8DA3D874697C8AA6C5BD695A8A2DE362630BFD9787C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031149Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:16.817{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D1B6D8EF4EEEB6BFC610A420BED231,SHA256=A87FAFE3C95875333FBBAD270ADDDECFFFA80887B12B1715100C3615AFA51D39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893618Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:06.130{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52719-false10.0.1.12-8000- 23542300x8000000000000000893617Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:16.642{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26B00150A95C747661877A9F2455FCE,SHA256=ADC67B4A0433A2FD9D2CA2050256975A513A68A78E5BF2BF2FC4B3E6C0C6766C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893619Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:17.657{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A7D57B963D911C739766F5996B0302,SHA256=6036B7B0EA18D2950D21C2F5D9BD2EFB82ED0987CD0450CE0E3B48A41D518AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031177Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.927{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B92280789EFCA717902F185417491FCD,SHA256=BC0EA462011C98205EFFD4C21ECDC3A2630D17E57C04778BBF70FF4C544EA467,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031176Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.256{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57180- 354300x80000000000000001031175Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.255{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local56703- 354300x80000000000000001031174Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.254{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local52297- 354300x80000000000000001031173Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.250{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local51932- 354300x80000000000000001031172Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.249{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local50228- 354300x80000000000000001031171Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.247{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local51135- 23542300x80000000000000001031170Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.817{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DC1C3AD90293E836889FE81B95F1FF,SHA256=FD475EFDF436A1FB3D8651A70EBABABC83002B2E2D2EC76378675A2B92785C92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031169Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.245{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53578- 354300x80000000000000001031168Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.244{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local54167- 354300x80000000000000001031167Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.244{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local55839- 354300x80000000000000001031166Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.240{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local52324- 354300x80000000000000001031165Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.238{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local54903- 354300x80000000000000001031164Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.237{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local65255- 354300x80000000000000001031163Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.234{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local54803- 354300x80000000000000001031162Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.233{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local49886- 354300x80000000000000001031161Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.230{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local52280- 354300x80000000000000001031160Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.230{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local56536- 354300x80000000000000001031159Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.228{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local55728- 354300x80000000000000001031158Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.227{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local56530- 354300x80000000000000001031157Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.226{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local49404- 354300x80000000000000001031156Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.224{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local56685- 354300x80000000000000001031155Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.223{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local57365- 354300x80000000000000001031154Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.221{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local65047- 354300x80000000000000001031153Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.219{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local50909- 354300x80000000000000001031152Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.215{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53522- 354300x80000000000000001031151Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.214{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local56189- 354300x80000000000000001031150Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.212{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local56375- 354300x80000000000000001031180Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.259{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-56.attackrange.local53domainfalse10.0.1.14win-dc-56.attackrange.local52673- 354300x80000000000000001031179Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:17.258{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local58554- 23542300x80000000000000001031178Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:18.817{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6E6E7C917F81084507605A5A998609,SHA256=C0056F77C2380122E8E442D42561D8B528A9414AADDEFF78E33DFA2A0FA40442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893620Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:18.673{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1493DD03571777AA8F32CCA82B39652A,SHA256=85E22F006039C61C7FD27060B6F4500EF244ED611B51667333A99B61E32A8B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031181Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:19.833{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA2AF267B921959ECCD89C545AC5754,SHA256=934DB3C7BCE0E0C99BEEEC9C4A681EF16E8188298903BCD4B06DB309D65902BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893621Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:19.688{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EFA71454D9387706B1E0F9E6D3A3C1D,SHA256=7B18F6D93A6F60DAA38764BE7CBA705EE23B391C003399E04353E1F3284CC0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031182Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:20.833{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFA5736D0CF61041E03565502BC4906,SHA256=E7F343307EEAF2A3698130240EDDACE96AB742D5742FCF012502A93890B73432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893622Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:20.704{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBBC18F1E3964E58AAD6B66F9C00437,SHA256=0246D164147BAB448F894B98ACD3594B8227F4020914CE0D2C89B644721AA691,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893624Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:11.239{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52720-false10.0.1.12-8000- 23542300x8000000000000000893623Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:21.720{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382AEAB8C270B2C6AD6E5931976E92AF,SHA256=406D07A8E934BAF3D4456B75253C3A161784000423B82F73556882105857CCCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031184Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:21.833{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14AEEF44E98D97D7845E5A2B07EF59BE,SHA256=B32FEEB3E971601FE5809DB42AA537B4961F2A9D435559592617997FDFD23ADB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031183Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:20.222{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57627-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000893625Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:22.735{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0102E14091A1A928F4297EF0DD220EEC,SHA256=34B70DE0A93BB7E69AE0BCE40795F5CBBC5F57DFF03204F2EB22459B9713ADD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031185Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:22.848{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0317B66AB50A802719B5F51D8070399,SHA256=54B99BED333A446E33737FF778FC4E00C988E6A1D6780D1C09645296C3558402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031186Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:23.848{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE253DCEA92CEC4861C61DD359CC580B,SHA256=BF33818B1269D099FD00E22B56D52AF33A7A46ECD80E3DC3F224CD2FC8B945E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893626Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:23.751{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC142DA7BFA1469A5EDDFDDAC79F9214,SHA256=14398AD58ECD423D44C7FD61843564206D73B543C69310A241192FB9F28E7BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031187Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:24.848{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C496914E78C1CB98267AC5D472B63593,SHA256=724084D06A6B1093E960EA4C6964B4401F268DAEE449027684A13B75D8AC58AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893627Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:24.751{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7EA055B64E73425A3EBFDD96712FC9,SHA256=E6420A439CD8A870D9ACE6D870D440A403197E2E628F8C4308449E1D10DFA8EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893628Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:25.767{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B50FE40226EE6E94ADA001A1E54604,SHA256=6914036F120AC84C4A28F7605B2A74A1E262D6A05E92E19251AF1E6E04DC01B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031189Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:25.850{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06FB0DA6279DA6DABF82DBF70D74A6B,SHA256=6C0235483918532B7FB98C81345EF08EB628831C775AAA79F76FC038E72B45A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031188Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:25.333{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893629Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:26.782{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2785855BF316C23E14A2E3AD2A232632,SHA256=DB6032A0D6647E01314BF85E90452B9F39BC960D395E2CEAD53CAB2E905F90B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031191Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:26.863{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197F34B3C538625D58A3B92B1DA6A4BE,SHA256=A5AD22E68CA80FC9442C4E6485A13794A7D1A31B6AF52D442AB558E6CA86481B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031190Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:25.285{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57628-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031193Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:27.866{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538A5A3A744A53048139D712A64B37F3,SHA256=309A10F30B920FFF02D5125C7C776F71605289729A883F66577CBDB94407C519,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893644Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.970{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-74BF-60FE-1979-00000000E701}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893643Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.954{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893642Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.954{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893641Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.954{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893640Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.954{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893639Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.954{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893638Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.954{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893637Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.954{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893636Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.954{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893635Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.954{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893634Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.954{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-74BF-60FE-1979-00000000E701}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893633Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.954{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-74BF-60FE-1979-00000000E701}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893632Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.955{D94AFF6C-74BF-60FE-1979-00000000E701}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000893631Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:17.145{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52721-false10.0.1.12-8000- 23542300x8000000000000000893630Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:27.798{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE611D6BAA087F9ACB9798D37677306A,SHA256=C596561126618C5C7E252D0296970EA9441491D0B7E4A470675E100ADD543502,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031192Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:26.457{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57629-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001031194Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:28.897{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557A9B64945C59C3D03C2A84D9BE0554,SHA256=BEF35BFB12F617CBFFFDBED756626670FBBD5F0D26D3D4F1867706503A722B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893661Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.970{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BAF9AF4EDC6F59405ACB0462550FA0B,SHA256=F0B22929EAFCDCD4D1775539A7DF9EADD831F8B45F7713EAF47EC2187ED68BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893660Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.970{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=387458EA66460461B718026B05823FF2,SHA256=B88BDA8F50F238B7C2A926A61A28F4441A81B5DD74387D3628CE003297818EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893659Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.938{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC3EC60E9041507314CBB2F9E07DEB1,SHA256=95FC0ED606B064CE2C6DC922344B9A200B856B0DC61AB330B642EF21990834F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893658Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.642{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-74C0-60FE-1A79-00000000E701}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893657Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.626{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893656Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.626{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893655Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.626{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893654Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.626{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893653Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.626{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893652Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.626{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893651Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.626{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893650Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.626{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893649Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.626{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893648Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.626{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-74C0-60FE-1A79-00000000E701}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893647Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.626{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-74C0-60FE-1A79-00000000E701}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893646Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.627{D94AFF6C-74C0-60FE-1A79-00000000E701}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000893645Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.095{D94AFF6C-74BF-60FE-1979-00000000E701}32242808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031195Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:29.944{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF737F0AA7EED21A6F46745104D869EA,SHA256=72666B7512A0DBF4B1DD652F522F56D05458E4965EC86AA6F7AC0FF362AE0834,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893687Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.985{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-74C1-60FE-1C79-00000000E701}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893686Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.970{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893685Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.970{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893684Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.970{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893683Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.970{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893682Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.970{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893681Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.970{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893680Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.970{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893679Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.970{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893678Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.970{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893677Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.970{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-74C1-60FE-1C79-00000000E701}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893676Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.970{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-74C1-60FE-1C79-00000000E701}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893675Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.970{D94AFF6C-74C1-60FE-1C79-00000000E701}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000893674Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.313{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-74C1-60FE-1B79-00000000E701}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893673Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.298{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893672Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.298{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893671Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.298{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893670Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.298{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893669Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.298{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893668Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.298{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893667Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.298{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893666Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.298{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893665Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.298{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893664Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.298{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-74C1-60FE-1B79-00000000E701}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893663Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.298{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-74C1-60FE-1B79-00000000E701}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893662Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:29.299{D94AFF6C-74C1-60FE-1B79-00000000E701}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893689Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:30.345{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BAF9AF4EDC6F59405ACB0462550FA0B,SHA256=F0B22929EAFCDCD4D1775539A7DF9EADD831F8B45F7713EAF47EC2187ED68BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893688Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:30.126{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F262F2892553EF206A0F7FB5529BB3D,SHA256=906C1183DF67C9A5847AAB841FFB756C63CCD923BBD531B5D6E0D6247DD8B71E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893690Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:31.188{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEED040E0451E005815713ADDDBCB4C0,SHA256=5C6E6BC524713DA7DD3881A1FF8B58DDA3CE1416EBDAF42CE56CEFB9D14E1117,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031197Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:31.209{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57630-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031196Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:31.038{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE3D7861CBCBB83875316B2C5A07B38,SHA256=E44804F15038CAAA8DA6B04F0941696B88729772C65460E0A2E3B20632FAFFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893692Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:32.345{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59146E6CAA2285F772E7C41F04BCEB2,SHA256=3329CD9373EB2C12DFDF32EFB1EB2311B883BD8CFD00EF4A45430EFC053AAFEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031198Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:32.069{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2751CC95D949B9BAD8EDE63F6937B14E,SHA256=2C56B5DC1D5C96D910F35FBF147CA39BB9513876C4196250A6591CCF05E620BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893691Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:21.200{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.7-32593-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893694Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:33.360{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C638E07EDCE5430AE012D9F9C0A857,SHA256=7E4A1EF7C9CA4764CDBFB51F22B4EF9B25265E43C3B4FD11CEE9D092186D6CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031199Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:33.085{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1136277CE114E13FE87812A0405DCA,SHA256=DAF706D648F144E900E4AA0FAEBA9A2E43899702F5A7AE0A64E0DCC111BEABCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893693Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:23.067{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52722-false10.0.1.12-8000- 23542300x80000000000000001031200Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:34.100{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47480957BDD0B25729307CE446F676C3,SHA256=9F63153A9FD29ACB9E93BC7017E29C5B718D0B6221965CD8F4EC3F05D6D94037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893695Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:34.423{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D60CC415533D1F74C1D794CF000585A,SHA256=D133BFBE26ECFCAEFE82DB002FC152C4FB613F973507D84DAE0A9B081488B690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031201Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:35.132{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43F8720647B9400D1AB5227790F267F,SHA256=5DD3B7D574671379B91DD124AA8507BB9998950D207ACC5CCA951714F41BDBD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893711Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.564{D94AFF6C-74C7-60FE-1D79-00000000E701}29441428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000893710Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.454{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7074CA5ED36F603D164C64EDED312F,SHA256=A48595337E8EC1AEE73230DB7379BFB54760E902A7FFB6F34EC9744B01BCA815,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893709Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.454{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-74C7-60FE-1D79-00000000E701}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893708Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.438{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893707Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.438{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893706Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.438{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893705Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.438{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893704Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.438{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893703Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.438{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893702Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.438{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893701Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.438{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893700Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.438{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893699Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.438{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-74C7-60FE-1D79-00000000E701}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893698Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.438{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-74C7-60FE-1D79-00000000E701}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893697Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.439{D94AFF6C-74C7-60FE-1D79-00000000E701}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893696Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:35.142{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F1772CF8CCD5BF8AA10D2E56E8D105D,SHA256=763001619B60B725A0AE984AC228FBD24509972A0185EF9C299F175B515F67BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031203Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:36.349{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57631-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031202Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:36.366{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E22525466020707D791C932A9D1191,SHA256=B37E5D821E42C9A1758DD1C4141083BB2B1C73972F045C81FAD2CAD97B6D97D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893714Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:36.532{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F226A9D00E55A7B1001E9A363244B25B,SHA256=567E76253730096A0E74D32EE827EB6311B235A397B029CBCE0AE0018B2BD483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893713Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:36.517{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8814F1F579228DB43B71F81B1BB1458,SHA256=BF5849109BDB234B49C91E5ACF915E1F880D7A81FB6DA24396C881F8DC940389,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893712Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:26.006{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-35831-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893715Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:37.563{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C241C6E1F781A6D2BB90C639C4A166D8,SHA256=318D72D62BEC7DF0391F440CEBD51836C570B42D9490A75C2D1BFE9946A384E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001031207Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:39:37.991{2E2BE06D-6DD8-60FA-1400-00000000E601}688C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d781f9-0xc4d5f8aa) 23542300x80000000000000001031206Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:37.866{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23BB46FDB68BA39E22FE8D1E045064B5,SHA256=40493D3B058907DAE165A321FA8B77625E090805E5C9A9BE29E316F1776DAC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031205Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:37.866{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A3928708EE83F3F2F0209E61D7FEABE,SHA256=A24CFB8CC88CED2A0B7BC51B5B74CEBA96A44D443D51FB4DA4452C236C8D7DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031204Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:37.382{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5EBB1C9163E186806F38875938CF05,SHA256=A2708581456B84195CDEBF8C8A14948A28390D1B5854988EF5080518888C0BB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893717Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:28.254{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52723-false10.0.1.12-8000- 23542300x8000000000000000893716Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:38.642{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB79054973322B58F3FF2D21D7E48689,SHA256=04A3FE2621CECA024B265DB945403764659ED3F5EEFB008B05DEC810E41E4C9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031209Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:37.860{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-53138-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001031208Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:38.397{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D65A2329D0CA50C83542619A5F71D1,SHA256=4629C6FA9769174AB11263A132206D780FFA65D2AB53B1E32E094A8084589EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893732Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.876{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E0CA8F26841FD5145227BB785BE069,SHA256=FED629245B142C9095EE58AB26112C39D1950404E12578E4DEAE4A26E778583A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031210Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:39.413{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62960828D78B5A9851005E35AC29344F,SHA256=F11EE53BA61A287F1BC8B98A5D478C87861CDFAAE937702AB924F7DEDB6B2E61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893731Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.642{D94AFF6C-74CB-60FE-1E79-00000000E701}27442460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893730Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.517{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-74CB-60FE-1E79-00000000E701}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893729Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.501{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893728Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.501{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893727Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.501{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893726Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.501{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893725Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.501{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893724Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.501{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893723Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.501{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893722Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.501{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893721Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.501{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893720Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.501{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-74CB-60FE-1E79-00000000E701}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893719Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.501{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-74CB-60FE-1E79-00000000E701}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893718Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.502{D94AFF6C-74CB-60FE-1E79-00000000E701}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893748Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.938{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18B324F823681F0D61DB9DAA5BF49A2,SHA256=5815555B34F904E13F304405BE876C1D99129A46541B2194EB5F85C5E240E07C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031211Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:40.507{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F134995D9175252DADE8BB1A4E3C686B,SHA256=E78DFDA108ABE8F38ED7A209953E3EDF0EF4A5D564BF3B11BA2104E31CA44528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893747Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.735{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0396B3B14D8D877C5A30771EFFE19506,SHA256=A64E9F18C3D9D8E5FD7B00E30007CEC9DCF1F9C402EAFCB326DDD33F7E2BDDE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893746Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.188{D94AFF6C-74CC-60FE-1F79-00000000E701}27003124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893745Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.079{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-74CC-60FE-1F79-00000000E701}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893744Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.079{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893743Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.079{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893742Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.079{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893741Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.079{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893740Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.079{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893739Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.079{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893738Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.064{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893737Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.064{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893736Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.064{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893735Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.064{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-74CC-60FE-1F79-00000000E701}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893734Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.064{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-74CC-60FE-1F79-00000000E701}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893733Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.065{D94AFF6C-74CC-60FE-1F79-00000000E701}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893749Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:41.970{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3483F363E23721FFD5EC5C01CBCAB135,SHA256=8A8A8CA9D1BCF23EC6E885AC6A0E9D71679EA6B8E2E03BFC33AA54FD56BCD577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031212Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:41.507{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4281BB3F01ACCAB10B20AA92FF4CB0,SHA256=338D886DF33700F0F12BF6E2D1B0CCE9775264AE0FB38E5AA8FC146CD998CE24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893750Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:42.985{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24B23054D5616587CCBB261411C5739,SHA256=AE8FD7252335D22A00E1547E0F3416DC09DAA0F48D4AE9A5AD1D9B8F08B1C6F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031214Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:42.224{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57632-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031213Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:42.523{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5FBD397EDD0A874499AE36C445F2D4,SHA256=2E900D0C3C48F64FB1366925F0D03712D95A3574E113466F53C94DFEC47754E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031223Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:43.898{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-74CF-60FE-B079-00000000E601}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031222Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:43.898{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031221Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:43.898{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031220Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:43.898{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031219Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:43.898{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031218Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:43.898{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-74CF-60FE-B079-00000000E601}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031217Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:43.898{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-74CF-60FE-B079-00000000E601}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031216Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:43.883{2E2BE06D-74CF-60FE-B079-00000000E601}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031215Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:43.570{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288B2762578521CF0D1F907292D57AC1,SHA256=71EC0133EFFABC4FB02DEA70750A2F8F950947CC0BA9CC411E8E344B1CA9AE2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893751Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:43.923{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F79F49E62A1FD8D4F1F59BEDD7F727D,SHA256=72ACA05CF2964128B4D38043F936E43C0C680CF3EE16961D5A121D1A2E710907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031234Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:44.882{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB17C45B4CDD6BD41FF01636293B746C,SHA256=79262130FE3E5645B7EE964FA86D86B87F7FA77B5524C3EB941D6177BDEB3FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031233Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:44.882{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23BB46FDB68BA39E22FE8D1E045064B5,SHA256=40493D3B058907DAE165A321FA8B77625E090805E5C9A9BE29E316F1776DAC1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031232Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:44.585{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-74D0-60FE-B179-00000000E601}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031231Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:44.585{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8AA56FF532FE49006CF8AB91BC89EC,SHA256=FA6307BA31E23503114CDD449A7744022238F416A43FB161D1C3AF2D445529BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031230Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:44.585{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-74D0-60FE-B179-00000000E601}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031229Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:44.585{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031228Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:44.585{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031227Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:44.585{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031226Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:44.585{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031225Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:44.585{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-74D0-60FE-B179-00000000E601}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031224Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:44.571{2E2BE06D-74D0-60FE-B179-00000000E601}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000893754Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:34.185{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net59709-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000893753Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:34.145{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52724-false10.0.1.12-8000- 23542300x8000000000000000893752Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:44.001{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D3C7DDD25B8E409A7FE73844590F54,SHA256=A93909F6CEB4BF800F58E714382ECE8457258DCC7C9D6F246079A0B6A5FAD19C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031252Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.960{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-74D1-60FE-B379-00000000E601}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031251Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.960{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031250Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.960{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031249Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.960{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031248Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.960{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031247Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.960{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-74D1-60FE-B379-00000000E601}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031246Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.960{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-74D1-60FE-B379-00000000E601}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031245Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.946{2E2BE06D-74D1-60FE-B379-00000000E601}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031244Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.804{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E74041E99318E894A6A3EE00903A389,SHA256=832FF1986672B6EDC236843EA26D4A71E7C7204844EEB653C024B74F59545611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893756Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:45.501{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8F28D3926807C1010D4CE708A70FC8F5,SHA256=2153D23E1351E9BA3A002BE39ACD1C5AC1B7AC10251DCF011F22880156E1CDF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893755Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:45.017{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2929C4812D8E4E4BD83E8CDC569FC0,SHA256=AC78B3B132328189528B610A723ACB4C738EEDEBB23998B1F8DC94286A84AB34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031243Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.492{2E2BE06D-74D1-60FE-B279-00000000E601}68124368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031242Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.273{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-74D1-60FE-B279-00000000E601}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031241Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.273{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031240Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.273{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031239Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.273{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031238Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.273{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031237Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.273{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-74D1-60FE-B279-00000000E601}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031236Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.273{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-74D1-60FE-B279-00000000E601}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031235Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:45.258{2E2BE06D-74D1-60FE-B279-00000000E601}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001031264Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:46.835{2E2BE06D-74D2-60FE-B479-00000000E601}11845904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031263Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:46.820{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898EDE8A31BC7C8E03867BEC40F9E519,SHA256=22B04E16F7F9B980CDAF2330A491CF406DB1311E03DAD438456644406302553B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893757Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:46.032{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35C6792D4FFA6EB52C92F10E16DAC0D,SHA256=A79CE6CE1810A73F81C46B42555FFDDA02FAF36DED569FEFE7C1762AC3EC796C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031262Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:46.663{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-74D2-60FE-B479-00000000E601}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031261Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:46.648{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031260Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:46.648{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031259Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:46.648{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031258Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:46.632{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031257Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:46.632{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-74D2-60FE-B479-00000000E601}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031256Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:46.632{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-74D2-60FE-B479-00000000E601}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031255Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:46.633{2E2BE06D-74D2-60FE-B479-00000000E601}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031254Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:46.257{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB17C45B4CDD6BD41FF01636293B746C,SHA256=79262130FE3E5645B7EE964FA86D86B87F7FA77B5524C3EB941D6177BDEB3FDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031253Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:46.148{2E2BE06D-74D1-60FE-B379-00000000E601}64605428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031276Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:47.992{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5C5F9920431185609D499436D9879F,SHA256=78D03930F100C5916D7347F8173C8FFBA734FE5992A43BC889A95808DCFF72DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893758Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:47.048{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5024FD6BFF19FB7FB190172349D7DF12,SHA256=C2705355E2886F3FEE468DBE3A9B8809B9A9092C1F117D5E237A9F2B335737B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031275Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:47.381{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57633-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031274Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:47.632{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E000A16415E3E88A3A5979CB2770314,SHA256=53C3C5CFBA3713C8A46B4C622CAB9609D47DE9CA22E7996CF13C7F2B4B416238,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031273Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:47.585{2E2BE06D-74D3-60FE-B579-00000000E601}65366996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031272Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:47.335{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-74D3-60FE-B579-00000000E601}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031271Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:47.335{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031270Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:47.335{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031269Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:47.335{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031268Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:47.335{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031267Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:47.335{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-74D3-60FE-B579-00000000E601}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031266Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:47.335{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-74D3-60FE-B579-00000000E601}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031265Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:47.321{2E2BE06D-74D3-60FE-B579-00000000E601}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000893760Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:39.223{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52725-false10.0.1.12-8000- 23542300x8000000000000000893759Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:48.063{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5D8B08CFC29312EEEFD47085227D52,SHA256=23AB208A5811E9B808E8BD69284F89C2FEB242F39CA9E31C30DAA0B0A42397D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031278Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:48.615{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com18654-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001031277Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:48.757{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24A37FEAD59F4BE01A26BAE8FED740E2,SHA256=82D519119F4056A1FD25B0CD05EABFCDEBFC93360B701619C3F3BD9AE58E1126,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893762Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:40.364{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.31.26.53v22019058371089428.powersrv.de53069-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893761Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:49.079{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C4B67FA95EA413BC3A0C43CA852910,SHA256=CBE91E97189F54091B9D5202A7F21CF0012D5AE2B97D27A568FA824072BB7F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031279Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:49.007{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F55CD179E34F2A5845F0734A65E0583,SHA256=B811BEE42247405013A816489091E2D3B8841FDEC4898FEAA6D9593B3B8CCEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893764Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:50.517{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893763Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:50.095{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0B9D2D26CF5CBDFA57C2299BED6B13,SHA256=03A27882DBED949ED91970335A5929DC7F70BD77CDFFC3B1DADCF4DCDF1EE299,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031283Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:50.756{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57634-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001031282Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:50.756{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57634-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001031281Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:50.663{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A3164D29370BF820A3C2292B136FEFA,SHA256=A6F1AB7BD3811119C91EDF6A4507A7447D5A7FD0C5921D78E2AFDDE3D2C2A82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031280Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:50.007{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B421422C08862D382AA77B06B95732,SHA256=64BCA86293B4C6023A8D85E43FC7E38F348AD7211BDFE0607298F9289AE09C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893765Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:51.110{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C88695CBDF64C8F87A59512FDC3251C,SHA256=4A306C37EFC28CCFFD38F6E3E2AB58F8163C19B6FEF4464B912525006A3D6230,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031292Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:51.867{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-74D7-60FE-B679-00000000E601}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031291Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:51.867{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031290Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:51.867{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031289Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:51.867{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031288Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:51.851{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031287Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:51.851{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-74D7-60FE-B679-00000000E601}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031286Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:51.851{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-74D7-60FE-B679-00000000E601}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031285Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:51.852{2E2BE06D-74D7-60FE-B679-00000000E601}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031284Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:51.007{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB51DADDD5B1F4D5E5098067EE896513,SHA256=10C8421C052C35312657AD1CE102582384C66E864385CAA5F68B72D6DC13C9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893769Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:52.970{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89A5256DB4A0758823F2BF86478DA795,SHA256=8731BEFC71B1E4D34E9FB7903989AFD821780F6F8858FEB85E707D2CC44AD965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893768Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:52.970{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=385835956A9FA2646EFE0191E5370336,SHA256=F6BE6B69C8C61BD4B7C9ED8F487CB13C0C8E4BF48B0380EB1B4BECE0A02722D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893767Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:42.504{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52726-false10.0.1.12-8089- 23542300x8000000000000000893766Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:52.126{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081F929FF8D398B1876175289FA5E219,SHA256=9D620E6A2192A93CE086D2008E45334EAFAB6A8FEF77852A933EA6AB6FC24ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031294Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:52.882{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94F068CF2A73302DA46F5B9F7696F7D6,SHA256=C7105FB672AC7E9CD21813F47BD885D5386D3081FFA43D4566C88E3D7DBFFEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031293Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:52.007{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14B910001DABF78E01E57F08F9A101B,SHA256=B26B19962186468F675A66840C11CD012027D17FF0C81C781272450CC1C760B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893770Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:53.142{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCB4ED9C7EEA2200DF5BA3411A33372,SHA256=9E0FB5FBC4856A3C9EB2CD20289A62C54406335C9A8FC063FB9872921FFBE9FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031296Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:53.271{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57635-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031295Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:53.007{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B131387F26E9F23740166ADCA4C97C,SHA256=A1CAB069DFE5745B40DF5B815DA274B0D9EFBCF389DE74037B8FFF252DCF1E01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893772Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:45.207{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52727-false10.0.1.12-8000- 23542300x8000000000000000893771Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:54.157{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F681D0005D5A3DA07D944BBC0E2A66,SHA256=51DF907F2E871911B63B24243EAAB0C489CADCF2CDD704DB25A26FBE1EA706A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031297Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:54.023{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A5402D13C4D9FED9DC4AE35C879C583,SHA256=95DD644AA0E8187DFB5E13E6B6BE4D9D6DE775562E1FB52FC9C6191699FB0DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893773Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:55.173{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3404BBB5ED220803FA21F8EA2EB9F78B,SHA256=80B2D78462F63798E52473C08FEF5B0D102BC33CAFD47CF557FF5445C420C4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031298Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:55.038{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC86C6AF2DBA525DB1D6341C016A4437,SHA256=F4469A4CAE8A75870CC77BC23AA394036E18C4049552C1B23E4BED3854C06E99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893774Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:56.188{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548AF6CD9C4D0A24DA931E8504F5BF4C,SHA256=D1AE70BDAFCCB88B689A19459A4C4021FB15B10D383ABC814963AAC890854FB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031299Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:56.054{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778AFF702301F2B631C28810D69251F1,SHA256=1BC79D10E55438153D41A6CC1D159A5F3B6F56D4B57BF41C5A5F4ED99546D23C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893775Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:57.204{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7887081DEE94081B174AAF7788300A78,SHA256=F2670FF91ABC783E62D7F5289F46B447F55BD216B70FEDD1EBB459BE286FCF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031300Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:57.054{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131AEF1A5C1664191A71BB70800B287D,SHA256=69EFC5F83E024E4A3DCB152679D8E815EC2215A6117A7C2A711332B4D4BA2D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893776Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:58.220{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7457BC0E8A8FB047C02AF4F6359B12,SHA256=A50B1EAF0B857D753BDB556575D6FC19B678029F0E63ED42A388FB371665597F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031301Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:58.055{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D297BA3673F522B19F12BE2073589481,SHA256=5200FEDBFD522C4970840D5AAB980A5C99B83D9D935C6054C8149A03DA61B831,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031303Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:58.365{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57636-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031302Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:39:59.070{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BE9F23D18AF3FD4CEDE681BD79F551,SHA256=FEE568C8674C77DA05C52F49913575E411BA82F6AA1FB51AE67DABB6A61C3EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893777Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:59.221{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E0AEA1FFF5C658EE9CF65999EBD3FE,SHA256=0F78149B145233C24504FC8E2BCA5DA2128EFE22782BD2BD515D85C66DEA4280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031304Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:00.085{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528F5FE75F5E21E9E301D8CBA53BE4D4,SHA256=772AAA548F08455985110CF03FAC145DCF423588C60A402F0D6B5D3A3D25A6C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893778Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:00.223{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D410D4D2656F935DB9150A1C69A27C,SHA256=5C989032ABF050A0AA16ECE24198C32033EBF9F99ED1150A58579BF4DBD0AD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893783Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:01.490{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A48CF0C009499151C2E18C48AC9281D2,SHA256=8FA636D07FA962211AFB576BDF72015DC7C46FC439627986F2735E9FD1AABB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893782Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:01.490{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89A5256DB4A0758823F2BF86478DA795,SHA256=8731BEFC71B1E4D34E9FB7903989AFD821780F6F8858FEB85E707D2CC44AD965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893781Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:01.224{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F67F115EF6A2B6D98DA9441FF9852D,SHA256=033FCE67469708A0610814C0B6A8BBF5EC476CC59C1F222B7EB23F9ED94DD2A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031305Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:01.101{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C204A002988806962563E8DC5A28B809,SHA256=4511E79AE3C664492BEC9454F25369135733DB6660DC8E588413209A4F54C2C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893780Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:51.391{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net50411-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000893779Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:51.114{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52728-false10.0.1.12-8000- 23542300x8000000000000000893784Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:02.240{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13558A5FB44DC5909478F05FBCF010D,SHA256=1CF7A6BB4BE94698D74BB4A243A0C7A3EBE34CB99B23194DC9DA4468FD416197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031306Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:02.117{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E9A98991005303E6584462E4F2F50A,SHA256=20A5A6361F1C3652AE79FA23746184A10E6392C3E6FA17183F1BF3BE4B6B2DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893785Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:03.256{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51BB780FBEBACFBAE620CDBF0CAEA88,SHA256=8EE3974FB7FB8562F3F4E6B4ED1C491A630E645BCCD6BBFDB992F02B12E91CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031307Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:03.117{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED50561E43BE0AAA43ECA5C595586D0,SHA256=7632F4574F7B916214346E4DD97E32AF1018590B6D95B0A6E49B03C282CCBDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893786Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:04.271{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A1F710EE13331D0188A1F3EEDBF476,SHA256=28522679A6605A6247C465E26E92578DBBBA48A803B18D619F96909B9FCB0C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031308Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:04.117{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6C136128CFF969863A5860296F8013,SHA256=53603BDB0F7CDD71056974FBB4ABF233FF81F75FFEB690D4DECFD7D24FFB9EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893787Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:05.287{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B7D60759F9C89E419F535490B0CAA0,SHA256=2538346AE61328A8C5B76573F568A260942B2374CB61690BB629BAEF062C8B71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031310Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:04.256{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57637-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031309Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:05.304{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C98CBA050B542C2EAE9562C42A4C84,SHA256=EA29E1B6564A70616814D1EF0DF1215BA22F998B0E45DAE40022709FE3BFBDC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893789Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:56.243{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52729-false10.0.1.12-8000- 23542300x8000000000000000893788Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:06.303{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F16B2329F7683DC6ABB8D6F78FB218,SHA256=6C8D1B5E01631E085DC0633D67211335A33860671BF52A5C68E23504C2DBB8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031311Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:06.304{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD8CEA40950A4DFEFE4B654CAA3D416,SHA256=035D5AE26EF39F4B31D785132239C724BF2152EDF118BD574478B4DEB05AAB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893790Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:07.318{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E18F5B251FA9B6748544DF07BAC9CA,SHA256=CC55BA61F8A67E4069F89172FA6BF981F89D3D933427508B4A4D1F923493561E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031312Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:07.320{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02D107203BCE69A58BA0D9FC73DCF42,SHA256=05CA8A5C0BDEDB728BB58D34455DF372BDA03BD3A133D4C721F5CB0FE84734D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031313Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:08.335{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF89033CC0F637B823515F8DBF72A0A,SHA256=95E1CC031B3D183EE33DFB7CE5C5F274A2CFF1A2B36350477557988CEE8516FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893792Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:39:59.211{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net61354-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893791Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:08.334{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59041F6890DC24FE5450122629411B6,SHA256=4012F8F880FB4F3365BBE7DD1D13BA98727E56C1FECDEF7EE37831354D747C90,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031315Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:09.334{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57638-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031314Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:09.554{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B06A7A3AE400F2903003AF1CC27316F,SHA256=48BCAC5E844E4128DBD56849804966C1E1EA57351CD8A23502CB0BDFE4709AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893795Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:09.349{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5289DF7D09667A86F97986DD5CB28E,SHA256=1EB15634C164C5F31556ADCE9A85E7AA4E6D8DC1D68E6653096E657D5BD6401D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893794Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:09.068{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADD3F8C4FFF2CFA6B466C32A63192BB8,SHA256=915A30B0BE466BEB9AB5319C450ABD703E0AB9659CCBC30E12C2F84E953E95BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893793Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:09.068{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A48CF0C009499151C2E18C48AC9281D2,SHA256=8FA636D07FA962211AFB576BDF72015DC7C46FC439627986F2735E9FD1AABB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031316Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:10.554{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C827752BF34AF23A4818F203A5ABAC99,SHA256=A5691AAC815EA2D0D6DA777EAC544EE471608DD434FEFD5EF05ACDB1E0FF30FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893796Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:10.365{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93FBA9D6EA6A658106451234189A1115,SHA256=B178C856DA2313430FA1B52C5D64DAB53DE765A619EA31C8E97097E4641E1893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031317Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:11.616{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD2BD7244848F7C29D7F64742168C8C,SHA256=4E829A282EC5F875CA6872D21300FBFFFC041E139B21F6C295C2BBC1A381AFAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893797Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:11.365{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A5D8195ABF8E99906432A2CF58B750,SHA256=F8CD86EB2A3997E99018080E54C097D6EBC427140EBD9DB8B557F37D232EC09E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031318Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:12.632{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AE240FAC31DCA5669259C860F5D4E7,SHA256=38BEB73A93DFA9EE8F64FAD7F69604357ADDC002D0F28C6A3809B4C62C0750B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893799Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:12.381{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C8C7409FC731AB18E1E22EE399193E,SHA256=B15B59A56023EFDC747DC4BAAFB91BF5B8F523633D1F68831497E39BF3969E8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893798Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:02.164{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52730-false10.0.1.12-8000- 23542300x80000000000000001031319Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:13.851{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D9E6B389D92E3ADF4112DBDCAC740F,SHA256=23D2F5DE3BB517355A72ED9A2AAD5D1F6EBD1149168A65C7FCFC5FCC688965E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893800Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:13.396{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3455A09AC17D308A58247A7CEC29507,SHA256=2BA984B890868E10BA1C4575AABD7F0D7F2BA77C8A0631815DB0D5C22741A1FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031320Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:14.851{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216B44E9169A33642BB07326DF1A6A2A,SHA256=F536AB4A9A32C2E9E8275AF7C1624994BDB5E76A153C12DCD2A7593903FC0E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893801Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:14.412{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A64FA781FF229A15B281D77EC0C18F,SHA256=F165C26DC4B564FE8DCD1A6E00149AB69092FD4C086FD8ACB6C2A2EA974E0319,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031322Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:15.271{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57639-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031321Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:15.851{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CCB988DDA145E2D71469033B84D7A4,SHA256=EC946C3565235ACE345A846954B205CF32AC313CD5BD2C07E80A2651A55BFF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893802Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:15.428{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE609A8B31F1CE6B6E56F9D88EBB3B05,SHA256=6BDA38BCF13B9EED75DAF27766628A321FD57E8D3D61EF2AB9D36E7EAD38473F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031323Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:16.866{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28203637FD79019E856379F02494CFF,SHA256=789F9473882C2FC14B687F8E2BDECBB4DEABAFFD7FBA49EA86598F47989D1446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893803Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:16.443{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3E532D8A44BB4EE71B80C1D0EBAFAB,SHA256=C4526C389ECB3A8649B633128FAF2C8332C27E5F8E131092C6D2445622AD2004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031325Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:17.929{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CE2324E5C1EAC6E934C69A70CA676022,SHA256=B6060F3F7A73ACF1513360240F876C6A093CCBBAC1D49B66FEEED1B23AAA8481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031324Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:17.882{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624F5038EEBC086AED2F962B0C92F448,SHA256=C8FA4DA145E3E1A798CE515D8B006332E4B4245771B9F21453662CB2E174DD46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893804Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:17.459{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905F67B6DB6592138F112AA1368B1556,SHA256=58FC83D5EA0E00B2CF85DB7A4A967A5098216F94C92B09F5188185900ED50FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031326Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:18.898{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA178F01A8BD4A8D88E1D6765018034,SHA256=AD86208E55A98322E1083F473D92A97863350290743ABDF94255C9D5D98A3B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893806Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:18.475{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EDABA7417330E626ABE1826775DDB40,SHA256=BC03B05F327D64B3CA8A5D6FA0FA818A720C730801E95A974C135B8F2F27A1C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893805Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:08.117{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52731-false10.0.1.12-8000- 23542300x80000000000000001031330Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:19.929{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFEE77B7E39A1378BD58955A1517167,SHA256=EF639FF14FC8734A3CAEC02A53F04818FADED994DEBCCD55ABF7C86CC258B019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893807Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:19.490{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61561FFF2C8D44ACD4242D6CA4DE4C77,SHA256=7FE807925F471AE8A7C704E3F832AAB62120B6BFA2271CC16C0491CDE16E1825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031329Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:19.820{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E712D51D86C16DB8B7C3383D71244F7,SHA256=4F9B497C0BA1067099AEC28EFD243769BFCF41BB6A4E6811611227798B8E9E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031328Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:19.820{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65AD7C4074FE3C7C1C32B0460E0E6900,SHA256=B558BD912B62D9EEDF2C82A732B7E94A66C9EFBA2C88D2FD7B4CB099781452F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031327Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:18.524{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.7-44488-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001031331Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:20.929{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=869DD14C7B0E7F37D88C7DD7E59EDEA9,SHA256=3D771FEB62D9EEAD47B18B2892661F8E9D7973072E80EAB5CC761FB3DD9AB395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893808Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:20.506{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01ED8785D6E183524801159DA0C8E42D,SHA256=B291BF786B8B4331D31AF398A0E1E250E782551F7EB46D227DEBE7E1E1FD4AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031332Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:21.945{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED71B3802A1505233081D2D3805186D,SHA256=73A10CF1005E60E019554013FF1DB06633A157F45771116E4485BB58BF52D6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893809Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:21.506{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13DA77FAEA902E837E93D6BCAF04C4B,SHA256=02185CCF9530DC62ED1618AEE1DEFEE822EEF98B0902C34F96A344CC38ADC3AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031333Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:22.960{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD293DB8D9E1862B9CF5763CF306057,SHA256=563C5D2CAC29D9CB1F819646DB4F06B4F80825729296BB901F03835C1133E952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893810Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:22.521{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2C2F71096DAE272D1CDDAFC5CAC2EB,SHA256=15F018A1FC90FC7DA0400EE7AD289D3C11BA6166085CE7195291C00232C6629C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031335Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:23.976{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CBD8A4F9A052438510583E202E8751,SHA256=D885B4C838DFD21A5FEA649A5E870DFE1766AA3F6A04686303AEAC5824969911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893812Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:23.537{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEFAC88FD859B1C41E86C16244D77578,SHA256=3EEE4C3D6EB1E595DA851E394938EE14DFC448CD86E66E662AC4EB60A23CA84D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031334Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:21.224{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57640-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000893811Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:13.242{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52732-false10.0.1.12-8000- 23542300x80000000000000001031336Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:24.976{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49D57357261A6F1AB9EDBAEC6B3ED4A,SHA256=3A2B752595452C9E1C85209D0DF2CB5A3285E2E1FDD851C20C1A111EA94DF2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893813Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:24.553{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A7F70C2EDB71CBCA5B606FE94D80A0,SHA256=261A6601D8C2E724B21D446FB7F017FB6636F311FA5812358B2A36DCCFC99FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893814Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:25.553{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A17F851A8E3B423410B8A6AA5B7A42,SHA256=2AEE9F45B246B515793C96B31C0A68A18F18F51AC27E2C3525CD37EB11E99AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031337Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:25.351{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893815Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:26.568{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281BE6DAF09BAC52FE2A5D22F5724C1E,SHA256=46F693675E2BABFE38BF2A5209A21E22AB7A05C8984B170F31CC407A72240E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031338Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:26.007{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646C9E68972CB5FA101A9E1D8B18A0F0,SHA256=336F919B5FA2EF4F6942F3F9627242C1852E5E74AA2BFDED7F3A9CC66FA22DF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893829Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.928{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-74FB-60FE-2079-00000000E701}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893828Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.912{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893827Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.912{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893826Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.912{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893825Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.912{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893824Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.912{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893823Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.912{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893822Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.912{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893821Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.912{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893820Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.912{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893819Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.912{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-74FB-60FE-2079-00000000E701}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893818Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.912{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-74FB-60FE-2079-00000000E701}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893817Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.913{D94AFF6C-74FB-60FE-2079-00000000E701}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893816Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:27.584{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0ECB0D5F6782594FD4499647402F1DA,SHA256=3F898BD2A087FD3A89078E8A4BADDAC9660BA232AF1A03B17D87A3CC1080051A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031341Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:26.477{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57642-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001031340Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:26.381{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57641-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031339Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:27.041{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A8585BEE63758586ECE685ED09074D,SHA256=62A2266D3F616AF83E5132540F971F7388F27D8AC53516323F6EC1150293E7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893846Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.928{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E09FE7796123566C8F7246BB9305EBC,SHA256=3C50983D40D56052618376BA3AD1FFC5205E498C34E0EC9E042A5A9BE4B4F008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893845Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.928{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADD3F8C4FFF2CFA6B466C32A63192BB8,SHA256=915A30B0BE466BEB9AB5319C450ABD703E0AB9659CCBC30E12C2F84E953E95BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893844Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:19.117{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52733-false10.0.1.12-8000- 23542300x8000000000000000893843Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.600{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2FF51FD7939889536AC1D1823C5E71,SHA256=3B1A2D0814AC7A2EF3350674C69AAF86E0DCF2DDF35B7BDF965F9E953B5BC306,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893842Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.600{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-74FC-60FE-2179-00000000E701}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893841Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.584{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893840Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.584{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893839Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.584{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893838Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.584{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893837Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.584{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893836Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.584{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893835Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.584{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893834Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.584{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893833Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.584{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893832Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.584{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-74FC-60FE-2179-00000000E701}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893831Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.584{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-74FC-60FE-2179-00000000E701}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893830Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:28.585{D94AFF6C-74FC-60FE-2179-00000000E701}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031342Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:28.048{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81EBC2259EC87406865A52356E70206D,SHA256=70DB0065D9A308A4009A6B17847BAA855DB123B614DE54E5680A9B6D6D88771F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893873Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.943{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-74FD-60FE-2379-00000000E701}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893872Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.928{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893871Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.928{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893870Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.928{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893869Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.928{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893868Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.928{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893867Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.928{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893866Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.928{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893865Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.928{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893864Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.928{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893863Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.928{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-74FD-60FE-2379-00000000E701}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893862Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.928{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-74FD-60FE-2379-00000000E701}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893861Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.928{D94AFF6C-74FD-60FE-2379-00000000E701}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893860Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.678{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5E93ECCE239A2A9815D49EE72A0844,SHA256=196845B9D1A5110B05099F2F19A4CBB01B678E86B796DEC5D6F393F6F0857FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031343Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:29.051{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90145DEB46CAB9F0AD94F6741681A10B,SHA256=6578E04F3297022FD0CB48B59AF17E42F902BF5CDC0396767D66A54334F6184D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893859Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.271{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-74FD-60FE-2279-00000000E701}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893858Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.256{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893857Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.256{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893856Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.256{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893855Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.256{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893854Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.256{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893853Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.256{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893852Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.256{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893851Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.256{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893850Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.256{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893849Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.256{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-74FD-60FE-2279-00000000E701}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893848Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.256{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-74FD-60FE-2279-00000000E701}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893847Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:29.256{D94AFF6C-74FD-60FE-2279-00000000E701}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893876Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:30.693{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA0A62F5C486EDD25D249CD46B77F21,SHA256=6316281337DB67819781C95B6AC4A71427148D3127695CBBA356CF184D0CD99D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031344Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:30.051{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594585B592A6F3625335EB3E5F5D8D12,SHA256=C676050C0D5DBE2CD88408D9A3D42B10C8A949DBABBD09D52C15794BB04717EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893875Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:30.303{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E09FE7796123566C8F7246BB9305EBC,SHA256=3C50983D40D56052618376BA3AD1FFC5205E498C34E0EC9E042A5A9BE4B4F008,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893874Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:30.053{D94AFF6C-74FD-60FE-2379-00000000E701}1732824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000893877Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:31.771{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB00F0EE450DDC7DA8014F9929BEFDB,SHA256=65E4AF801EE91EF75CFE299F8D038B904023655384F6150C726F23823D0D6D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031347Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:31.988{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ADFF2ABC24555739F5BF069AA99DF40,SHA256=9D66FDF9D7CB1D796A83FAC571F1A219B3D8D675625BC4DA46C935845443EFB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031346Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:31.988{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E712D51D86C16DB8B7C3383D71244F7,SHA256=4F9B497C0BA1067099AEC28EFD243769BFCF41BB6A4E6811611227798B8E9E7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031345Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:31.082{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1735A232CE15E2F7EAE18E0CA357332,SHA256=6652360861F3255990B3D4A6D41A565AE16C6BE922DA172914B37B34B85E07C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893878Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:32.881{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC91332D40A18AAB0D534D8D81DD1F2,SHA256=209FABA0D34D2D8B2991306411B1E0F33C2F0C7929F05088B88ACE6275955EE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031350Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:32.221{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57643-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001031349Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:30.991{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse112.29.139.34-14334-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001031348Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:32.082{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D56357855D3D8F8E33C9077FB385377,SHA256=2449D5FF4948E01B0A59F1CA9A6C9D9532FC5C81A4FF0A85835369E9E2A5E17E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893880Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:33.928{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF024169218F2E088EE111B530A57DF,SHA256=CAFF19A2684AB0EC9D1E80422117031869D0123CF9047A4844095BCECD822129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031351Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:33.129{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB720F0D643CB664A09E02C8F5B98657,SHA256=144C102F3B450CAB6358F8795DFECCB0B2E44C80AE6B3101298858A996F77C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893879Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:33.443{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C248FF7AFE9D553D83AD82643BC4980A,SHA256=811EB36D1982E01243B552A5DF9D9D20ADF57209177F064110DA11CE8D50A519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893881Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:34.943{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8572EB822A5F696556343CBB41717F,SHA256=024D84F6CA9CB2ADCADD667014CA359B39CF20722A9586E97D7F150A276DA28B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031352Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:34.223{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A061FC54C234F33BAFE20FF015288449,SHA256=67646495FD51384BBC4BE1EB0527A18E1D75E8509C44AB1EC1D82FE0304D0705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893898Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.959{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56E0B199C5961D1431105E30AD5F7C1,SHA256=927ACD9D46633B40990B42776F3E4D1DD31E0731FF20D4AF74091BE5348A54C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031353Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:35.223{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959EDAD8FC501CD33A5BE39212C5C5E0,SHA256=FBE141610F53E4A9AC3132A1C0EF030D800B475F22B40CB297B70DF373BFD33A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893897Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.584{D94AFF6C-7503-60FE-2479-00000000E701}528772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893896Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.475{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7503-60FE-2479-00000000E701}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893895Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.459{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893894Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.459{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893893Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.459{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893892Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.459{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893891Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.459{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893890Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.459{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893889Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.459{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893888Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.459{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893887Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.459{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893886Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.459{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-7503-60FE-2479-00000000E701}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893885Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.459{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7503-60FE-2479-00000000E701}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893884Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.460{D94AFF6C-7503-60FE-2479-00000000E701}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000893883Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:24.226{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52734-false10.0.1.12-8000- 354300x8000000000000000893882Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:23.974{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.227-58660-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 10341000x80000000000000001031385Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031384Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031383Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031382Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031381Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031380Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031379Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031378Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031377Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031376Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031375Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031374Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031373Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031372Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031371Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031370Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031369Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031368Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031367Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031366Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031365Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031364Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031363Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031362Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031361Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031360Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031359Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031358Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031357Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031356Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031355Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.488{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031354Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:36.238{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DEC72E9823BBFCACA8D7DA0D23EBBF,SHA256=A7A4B6271BFDC499D4E2AE1B029F09BF710D8AF9B10D4C3368DD05B7E16B4BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893899Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:36.490{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=528D6973CCA90BA62D22029AD8155095,SHA256=C48B16B8D40D0E8DBBF8A605FCCEF476C5E7BCBBB7B1AAECE8579397F2E5F61B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031387Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:37.315{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57644-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031386Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:37.285{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E311C62063EA4F4E3E05D2A6957A65,SHA256=BAA2E9DEAAE63A386335C8369CB71CA2A71DCA7852D5C0DA48C5B602364B3908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893900Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:37.006{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB8EEB87C9A96B4E8F6BA492628BA70,SHA256=8EE5E8643CFE7556ABD13A7B0A654D6240513F123ED196CD42A9F79BF00B35CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031388Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:38.285{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77725FE7A1E33841E26AA4F7CA329E4C,SHA256=4A9B8704AABB7C58429B2D908FDB0F870297870B2F452A1B4C45AF50B541C1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893901Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:38.021{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8257879C81A7D612A62845948CC78528,SHA256=CD206E7AE7F999C4918FDF32926CCCE07A0DA7969406EFFCA5725305192FBDD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893917Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.553{D94AFF6C-7507-60FE-2579-00000000E701}1722992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000893916Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:30.070{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52735-false10.0.1.12-8000- 10341000x8000000000000000893915Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.428{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7507-60FE-2579-00000000E701}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893914Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.428{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893913Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.428{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893912Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.428{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893911Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.412{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893910Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.412{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893909Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.412{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893908Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.412{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893907Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.412{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893906Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.412{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893905Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.412{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-7507-60FE-2579-00000000E701}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893904Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.412{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7507-60FE-2579-00000000E701}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893903Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.413{D94AFF6C-7507-60FE-2579-00000000E701}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893902Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:39.068{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10CDFAE8FF00DD924910344632F1C4C,SHA256=DDCBA69BEA7A5052283408B81942D447D63CF2FF5AD5A6B43A3D77FFDF6DB834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031392Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:39.894{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D458FC730ACFBA1EB1EC82EBFAC9B1DE,SHA256=0DD84864B3C7FD7BEB82952AAEE0C49FF88671A074E548466C8E8844080AACA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031391Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:39.894{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=04F31F23CFA6CBF666D8F99997CA0D06,SHA256=062CD6C242C8CAB5D835B702802DA039E527E14EFA2FC9F3947037FD4E4BAE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031390Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:39.301{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7005A350F94957601A993FEBDC5A03AD,SHA256=B5BA049070B5D10A00DBDE4A623AD2459429A2A1B6D3CD6725B835D515DBFC23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031389Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:39.082{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2900-00000000E601}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031393Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:40.316{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5C4AC57F56AB3E0B29C065F9575626,SHA256=00E447AF381EF192CACA2EB69C2907662AEAC9F1BA528EF391CF92451CB49E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893934Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.553{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=287B14986B989CD76A3FDBDD011FAE0D,SHA256=B4A7EEA5689B11127F1548AD177D015FC04FF068A686CD50E195BA7C25CA7D53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893933Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:30.082{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse49.238.204.234-55064-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000893932Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.209{D94AFF6C-7508-60FE-2679-00000000E701}40323052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000893931Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.100{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3227D5AB9E39B4CB45EE95E1628B93,SHA256=75313B7D9FB0476048CB9B82A34EBD2218F2E40D60DE40C8A4042054A87FEBBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893930Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.100{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7508-60FE-2679-00000000E701}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893929Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.100{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893928Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.100{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893927Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.084{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893926Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.084{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893925Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.084{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893924Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.084{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893923Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.084{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893922Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.084{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893921Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.084{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893920Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.084{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7508-60FE-2679-00000000E701}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893919Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.084{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7508-60FE-2679-00000000E701}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893918Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:40.085{D94AFF6C-7508-60FE-2679-00000000E701}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031394Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:41.316{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E4686D7F3880440E8AF886743BC376,SHA256=D09CEE746ACC7AE59975033D97EC104C1118EC8EC41C612A05D31058F66AC1C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893935Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:41.115{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD796B47451AECE608EF211CC6FEA93D,SHA256=4B815BBA4AE2CDE769E9440519B47AA97B81106BA84CFE5F4E2B8EBF33D5BC67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893937Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:32.640{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-37687-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893936Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:42.146{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94FF0DBD724C9322F1F430268E10CCB,SHA256=265AE4B89D666140D02A061D2754BBB370346EC7E5B76DF7A3EE58D037516A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031395Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:42.316{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166AD6218C4AAC4634012A564A5612EF,SHA256=AC65D687838F886B1496DCF38FA7770EA035B5F5C13C519894BACD646E061824,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031406Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:43.930{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-750B-60FE-B779-00000000E601}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031405Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:43.930{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-750B-60FE-B779-00000000E601}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031404Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:43.930{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031403Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:43.930{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031402Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:43.930{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-750B-60FE-B779-00000000E601}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031401Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:43.930{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031400Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:43.930{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031399Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:43.897{2E2BE06D-750B-60FE-B779-00000000E601}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001031398Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:43.206{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57645-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031397Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:43.332{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42DEB730F01195A939355B40FA1798E,SHA256=4407CC15875073E22A59612DD00EA60B5F9F49DF9C342C98FC26F048AE227ABA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893940Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:33.792{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.33-45397-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893939Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:43.146{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DCB9D534691C6B0F1141EF1AEAF094,SHA256=288097C1FBFF056D83B76DF220B422A592620A3428C22D460420332A98F199A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893938Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:43.131{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8C10F6E01B001A16D6193BE06BF769B,SHA256=DAC937FA0903D0F4905205721748B5AFD6A04674772822C791BAF1B59B014DAF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001031396Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:40:43.160{2E2BE06D-6DD8-60FA-1400-00000000E601}688C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d781f9-0xebadfa09) 23542300x80000000000000001031419Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:44.897{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F6F7E025659893B41B2A4CEFC54ADCD,SHA256=A07DAAFA9E3C064CF33391C1E42CBE723EE6AF6F8EE478C7A4881872D1861D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031418Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:44.897{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ADFF2ABC24555739F5BF069AA99DF40,SHA256=9D66FDF9D7CB1D796A83FAC571F1A219B3D8D675625BC4DA46C935845443EFB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031417Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:44.283{2E2BE06D-6DD8-60FA-1400-00000000E601}688C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-56.attackrange.local123ntpfalse20.101.57.9-123ntp 10341000x80000000000000001031416Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:44.616{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-750C-60FE-B879-00000000E601}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031415Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:44.616{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031414Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:44.616{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031413Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:44.616{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031412Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:44.616{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031411Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:44.616{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-750C-60FE-B879-00000000E601}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031410Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:44.616{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-750C-60FE-B879-00000000E601}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031409Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:44.601{2E2BE06D-750C-60FE-B879-00000000E601}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031408Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:44.335{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87F763939F80533AB6FB320DC521CE3,SHA256=B07AA439E251B6F8B1A83C4BD508F8FD63CB1350A615E09A5F69D688C02AB757,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893942Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:35.195{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52736-false10.0.1.12-8000- 23542300x8000000000000000893941Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:44.162{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50E04DC1D62E2D8600A4F9B59962839,SHA256=96E372EF69E5845CB5092411188D5AC71AE4670C8C7D7AA85E75D96A881F4A4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031407Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:44.116{2E2BE06D-750B-60FE-B779-00000000E601}62322356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031437Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.819{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-750D-60FE-BA79-00000000E601}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031436Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.819{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031435Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.819{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031434Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.819{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031433Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.819{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031432Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.819{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-750D-60FE-BA79-00000000E601}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031431Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.804{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-750D-60FE-BA79-00000000E601}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031430Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.804{2E2BE06D-750D-60FE-BA79-00000000E601}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001031429Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.569{2E2BE06D-750D-60FE-B979-00000000E601}35524180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031428Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.382{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5ED69F45DA74798465EA0FBC4A6639,SHA256=7763E0DA4E07D3227103B510920702903F84051D2E7E6C699DE686CE3E2CD53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893944Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:45.506{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0A654600D32D1025D08E7D09CE3FD835,SHA256=39CA533634145F1A0FEF8D75494F5EAB7F284324110F0E58718567A72773B382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893943Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:45.193{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5F7EC48AF37BC62F9EDDE48719E135,SHA256=0C85A79B0CECBC7FB92C73C0F38E063C37EAFB8E3830DA05F79BB86D29C74EFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031427Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.304{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-750D-60FE-B979-00000000E601}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031426Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.304{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031425Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.304{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031424Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.304{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031423Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.304{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031422Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.304{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-750D-60FE-B979-00000000E601}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031421Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.304{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-750D-60FE-B979-00000000E601}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031420Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:45.289{2E2BE06D-750D-60FE-B979-00000000E601}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001031449Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:46.725{2E2BE06D-750E-60FE-BB79-00000000E601}29484872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031448Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:46.507{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-750E-60FE-BB79-00000000E601}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031447Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:46.507{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031446Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:46.507{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031445Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:46.507{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031444Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:46.507{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031443Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:46.507{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-750E-60FE-BB79-00000000E601}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031442Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:46.507{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-750E-60FE-BB79-00000000E601}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031441Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:46.492{2E2BE06D-750E-60FE-BB79-00000000E601}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031440Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:46.382{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722FD3DEFADE9CCB00678E8EB67794CF,SHA256=A5F69F0FF7EE2ACF092A55DE0F4EBFA6F8DC9BD64A0689DF375B2F6C80C8894E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893945Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:46.240{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E34FA027928D840EA284DF68A8B91F,SHA256=58D858FE5EB5B9282473689D1A1F9632BF219249CEE220E456645235586D965D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031439Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:46.304{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F6F7E025659893B41B2A4CEFC54ADCD,SHA256=A07DAAFA9E3C064CF33391C1E42CBE723EE6AF6F8EE478C7A4881872D1861D52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031438Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:46.038{2E2BE06D-750D-60FE-BA79-00000000E601}61163640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000893946Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:47.256{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1961785028133DD6D45E1F9A6F8076,SHA256=B1F374B4FF5A5EAA70437512D412310A67F0E24277FA0EEFFA03949341716EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031459Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:47.728{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C052A685D4C091CDFC926FAB2CEE542,SHA256=6C0E64161E88E3028F2B033D5AA152AC8370B895748ACC54BC7B8D5F58E13072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031458Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:47.413{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14727769E0423CC5FD6CAED330692A0,SHA256=2395617CBC9A9AA309CCA4EE68DEB42250D991204FDEC0018A86893EA2A1813F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031457Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:47.194{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-750F-60FE-BC79-00000000E601}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031456Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:47.194{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031455Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:47.194{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031454Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:47.194{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031453Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:47.194{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031452Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:47.194{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-750F-60FE-BC79-00000000E601}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031451Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:47.194{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-750F-60FE-BC79-00000000E601}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031450Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:47.179{2E2BE06D-750F-60FE-BC79-00000000E601}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893947Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:48.303{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC052D3E1F578903227A8AC80CF755ED,SHA256=F5F71D93CCBE7E0AF4E0053925EEDD312AE25E90FD35AE40314F4B28B3C52658,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031461Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:48.348{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57646-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031460Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:48.413{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D2903E8E3EA7AD1E5D50938BD18AAB,SHA256=84163D790B6016AF3ACA3A45F25A5B763D53C51956264D1B7CBDB0C58F936B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893948Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:49.318{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80600B73B50B365061B4C305F8213B74,SHA256=D85D12DDC6F89C134920CA364C0733E784E3F0C2D06A461C54629578A3235A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031462Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:49.413{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D63742CE0CD8450179A26448B5B4E3,SHA256=4FF5EEA396B778CE79CD71390C11DCACDB2C10FCDD519E3BD70BA41AEDD1C659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893950Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:50.537{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893949Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:50.475{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059DE41BFA5CD24BE65CCD172C4B1C6D,SHA256=8F31480EE2D9927658F1F2F650F06C2CE5AF80BCC916503610E78331479EFC93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031466Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:50.769{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57647-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001031465Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:50.769{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57647-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001031464Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:50.679{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61CF5776E9797C8FF3DE48A7F5A01B6F,SHA256=AB7C4E2E345F246D6937582035ADE4E919E81F6EF4701464387CE634EBA6046D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031463Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:50.429{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0300D844E561EC779B20A501DF5F0AA,SHA256=9AD46C11170229B15ADE41F792447619A4F1D4DDB43999BB0249F1F451D6A4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893952Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:51.709{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAC83129F8D95942A00219AAE29A93A,SHA256=D57F34CA45CB928E96CCDD1D06C4B5F1631CE82B101BC7CBB435C9D3F858DFCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031475Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:51.882{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7513-60FE-BD79-00000000E601}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031474Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:51.882{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031473Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:51.882{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031472Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:51.882{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031471Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:51.882{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031470Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:51.882{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7513-60FE-BD79-00000000E601}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031469Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:51.866{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7513-60FE-BD79-00000000E601}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031468Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:51.867{2E2BE06D-7513-60FE-BD79-00000000E601}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031467Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:51.429{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC37A27CBCC3BB6E17C540FCFAF0777,SHA256=7E92898F53A25F2A1D901089416BCBD962F0170A0BB34CFD7C49021869B12C8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893951Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:41.069{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52737-false10.0.1.12-8000- 23542300x8000000000000000893954Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:52.834{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87A21851CA2066C2C58B3BB5402F012,SHA256=7D6BB16B8C41EBA206180ACBBBB0F12FDD8C85EFDBB15D0861F8417A34FA5BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031477Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:52.882{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D25CF70D0DF0FC202A5E8A48D82975E,SHA256=3C0D1A410240339CBF813C903A858A280C8AE5924A5E46BCBCCB8F0752D6D0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031476Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:52.444{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0DD4E0160E42F2D8E1F45CB1237126,SHA256=D18D2765E17EC10D283D000E035EDEE43F485B29E7A480CD3C22EEEB28EFF4E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893953Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:42.523{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52738-false10.0.1.12-8089- 23542300x8000000000000000893956Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:53.896{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74118FAAAF6AC8014B80305B5CB57D6,SHA256=5CC0BB2DBC6C3AEE46FD137C01F0B1127C560014A6A169432F433663BA332E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031478Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:53.444{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF0C1790F6BA2200CCEA59ADA6771CF,SHA256=CF325A0B5BDA7979EB1E3F6C419C8B235C23A0EA950BC4620746CE1E3D4EEDBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893955Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:43.940{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net57531-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893959Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:54.928{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B558CC378C60EE954F0816F5BF7F39A1,SHA256=25091EF27BC9AFB370A5627D3520970C56B4CE61F33E2E8E13D083194C794173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031479Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:54.444{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA4180753377DFDBF49D7887A38448D3,SHA256=7B14FF65EF94FEF1AB655DA6F21FEAD908EB6940F72156068188143A71C5D217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893958Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:54.521{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED8B5D921AA65CE01AF4B0475CB7F12B,SHA256=1E6E88A76445DD51BA9A1645652D3A8201A37ED891635B1E1821F50034353E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893957Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:54.521{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D2039F94F309C3D65842DCA1619C09E,SHA256=F94E3269234FFE98377EBE51C15D012E8F291D15EECA712CA38B31B535FBFA3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893961Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:55.943{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F566CC36D514D7E636196877932C408,SHA256=0345B7C2F082F811E44FAF70CAA6FA876D61EBF0889C64B37C3B23D2A644A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031481Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:55.444{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8EF3D8FC09C3996C2A895AEB64FBBF,SHA256=E4C5228C0E8BF08DE7EB24EF16C28984D11C25B5F4A1A15376BA8DE9FFA00CA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893960Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:46.147{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52739-false10.0.1.12-8000- 354300x80000000000000001031480Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:54.237{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57648-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031484Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:56.444{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6539F75A1A55351826304F76609FDAB9,SHA256=B51B381019B682230025DEB09003D818D12C708AB89903726AF8C504569A1BD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031483Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:56.163{2E2BE06D-6DD8-60FA-1000-00000000E601}384184C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031482Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:56.163{2E2BE06D-6DD8-60FA-1000-00000000E601}384184C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031486Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:57.444{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1695EC62AA5279E05604356BE30CDC,SHA256=11A619170CDA921F8B132E4CE67196FC0A6F20FCC34A5272CF4ED355A117FED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893962Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:57.068{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611C9B5A22D109E0A1F2BD64599544F7,SHA256=81FFAE877B14C1B987A2D47E52FA61CB5371992D136CA7CAAE5D1C8739BC9FBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031485Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:57.257{2E2BE06D-6DD6-60FA-0B00-00000000E601}6366244C:\Windows\system32\lsass.exe{2E2BE06D-6DD3-60FA-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001031489Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:58.444{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB68AF345EEDB8864EF33F8326347137,SHA256=CD45B548A25380F8277412EAC837E4283EBC5EFFAB50DA88F9F0937E0EEC8381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893963Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:58.100{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C27E27287B8CB3B371EA8CA5157644,SHA256=29186EDEE455144998318ECD8D6F4410F3E4974DC12B2D852C8217BFA773CEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031488Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:58.272{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27DDDA9320418DAC9BB45140E0A83AFE,SHA256=AD0DDDC0B857DCB231C48386F7E2362DD135FD4DDA129292D7B8E61DB9AC911E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031487Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:58.272{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8771FE7000DE4A09E588DA6C5964629E,SHA256=495DEA8ABEC3693A5FD3A9811561654488A9330BD4EAB1D7967947C171693046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893964Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:59.334{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D2F6C207CCC94835C9C9DB080ADC1E,SHA256=2002E1C32655608C1E4E66612CB46D1D277563D842440513701E4A8779D046A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031492Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:59.444{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014B8BB566556B761FE77B0F6C7A0C99,SHA256=42B594DA4C5F9BF85968196555723359B7F266D676714B01FABD48AE77AD05D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031491Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:58.394{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57649-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001031490Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:58.394{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57649-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 23542300x8000000000000000893965Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:00.351{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4110C63743589D7A3278A956DCD71D2,SHA256=4C966F593627EE36E1E2FD26964F8D6B0931CF6F7780EF0B0DCF6D2D110A3277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031494Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:00.460{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDE26C4CF72AEC39805A09A4046C7B8,SHA256=40F918FDF726D8BDE9FDF15B22CC195683BE76AC77D4129952C7BCDDC0F990FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031493Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:40:59.331{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57650-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000893967Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:52.102{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52740-false10.0.1.12-8000- 23542300x8000000000000000893966Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:01.586{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD576B32910164F74D7748017A1D5B60,SHA256=9CABA465725CA7D57A42F726A84DDB9ADF3E34B1F9B42778E969E068F432A21E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031495Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:01.460{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BB434184EB82FE7F376852DC8AC70A,SHA256=87CE69F6D042B5315E9984E5231D92C507AB00E7511425718EE33BCB45C01F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893968Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:02.603{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D490BB34996A4CE136CEA8BC03954CF3,SHA256=FA7563EE2C1C4FFA18E55C5647426E8F6D7ADFE857FFF5CEE68A6D4B687DCE2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031496Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:02.475{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3388C98618011807A0C1C6E3AE2AF351,SHA256=DAD9C4DE7AA89D88188FB6671044401D86FCCE681BC8C7589E83EA72956D2C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893969Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:03.603{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D605321738D78DBD6705C151125F2716,SHA256=D9705F04B66DD8B2D71D3EF82E155DD092B516675E088C00949B526545C20230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031497Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:03.475{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB80D260F89F7E7A1DD6EFFCDE1441A5,SHA256=216D2E28F6B2828C552133F99767FF19C7EE2A5BF9305B67943BD783A9E72D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893970Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:04.634{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76FC0DE3648BC055B0F8082BD4583FE,SHA256=32E05A25A63375750A371EF74B7167380E847B96E498D9EAA362146197FF917C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031498Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:04.491{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA9EBABD046A935EFFA2627CDB34BE3,SHA256=C8832DC245B15C2A14E9B0D28A2267D343D47AA3EB5E452961CE2A1DFE7A0278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893971Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:05.853{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5151EC96BDBCE22B51058881C69BB678,SHA256=C37BC542C76616A25726276B289F7F3B19B6FEDA1EDFC1630F57C3F6AF6E9834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031500Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:05.491{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D284C7F1A546D627869142B2E7CCA2E6,SHA256=DF52F885168B7D6B11F8FE8BA9F2FF842D9082765914500878B7C4B3D66E3C5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031499Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:05.190{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57651-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001031547Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.569{2E2BE06D-CA2B-60FA-590B-00000000E601}41045116C:\Windows\System32\RuntimeBroker.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001031546Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.569{2E2BE06D-CA2B-60FA-590B-00000000E601}41045116C:\Windows\System32\RuntimeBroker.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001031545Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.569{2E2BE06D-CA2C-60FA-630B-00000000E601}47286776C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031544Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.569{2E2BE06D-CA2C-60FA-630B-00000000E601}47286776C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031543Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.538{2E2BE06D-6DD8-60FA-1500-00000000E601}11322284C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031542Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.538{2E2BE06D-CA2B-60FA-590B-00000000E601}41045116C:\Windows\System32\RuntimeBroker.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001031541Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.538{2E2BE06D-CA2B-60FA-590B-00000000E601}41045116C:\Windows\System32\RuntimeBroker.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001031540Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.522{2E2BE06D-CA2C-60FA-630B-00000000E601}47286324C:\Windows\Explorer.EXE{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031539Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.522{2E2BE06D-CA2B-60FA-590B-00000000E601}41041084C:\Windows\System32\RuntimeBroker.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001031538Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.522{2E2BE06D-CA2C-60FA-630B-00000000E601}47286324C:\Windows\Explorer.EXE{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031537Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.522{2E2BE06D-CA2B-60FA-590B-00000000E601}41041084C:\Windows\System32\RuntimeBroker.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x80000000000000001031536Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.522{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54734C6D1F322499F5B79E234F1D4487,SHA256=FEFE4BF15E2811BE5A15111F6A664495D124EC9B2BE2C2A9FE61E2AC97692FEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031535Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.522{2E2BE06D-CA2C-60FA-630B-00000000E601}47284976C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001031534Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.522{2E2BE06D-CA2C-60FA-630B-00000000E601}47284976C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 13241300x80000000000000001031533Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:41:06.522{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x80000000000000001031532Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:41:06.522{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\FF0B1A08-CD41-4F90-8CA9-0CD1036C849E\Config SourceDWORD (0x00000001) 13241300x80000000000000001031531Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:41:06.522{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\FF0B1A08-CD41-4F90-8CA9-0CD1036C849E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_FF0B1A08-CD41-4F90-8CA9-0CD1036C849E.XML 10341000x80000000000000001031530Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.507{2E2BE06D-CA2C-60FA-630B-00000000E601}47285220C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031529Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.507{2E2BE06D-CA2C-60FA-630B-00000000E601}47285220C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031528Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.507{2E2BE06D-CA2C-60FA-630B-00000000E601}47285220C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031527Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.507{2E2BE06D-CA2C-60FA-630B-00000000E601}47285220C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031526Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.507{2E2BE06D-CA2C-60FA-630B-00000000E601}47285220C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031525Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.507{2E2BE06D-CA2C-60FA-630B-00000000E601}47285220C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031524Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.507{2E2BE06D-CA2C-60FA-630B-00000000E601}47286896C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031523Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.507{2E2BE06D-CA2C-60FA-630B-00000000E601}47286896C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031522Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.507{2E2BE06D-CA2C-60FA-630B-00000000E601}47285220C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031521Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.507{2E2BE06D-CA2C-60FA-630B-00000000E601}47285220C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031520Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.507{2E2BE06D-CA2C-60FA-630B-00000000E601}47285220C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031519Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.507{2E2BE06D-CA2C-60FA-630B-00000000E601}47285220C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031518Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.491{2E2BE06D-CA2C-60FA-630B-00000000E601}47285220C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031517Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.491{2E2BE06D-CA2C-60FA-630B-00000000E601}47285220C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031516Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.491{2E2BE06D-CA2C-60FA-630B-00000000E601}47286896C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031515Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.491{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045416C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031514Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.491{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045416C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031513Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.491{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045416C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031512Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.491{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045416C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031511Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.491{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045416C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031510Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.491{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045416C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031509Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.491{2E2BE06D-CA2C-60FA-630B-00000000E601}4728ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031508Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.491{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031507Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.491{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031506Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.491{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031505Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.475{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001031504Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.475{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001031503Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.475{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001031502Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.475{2E2BE06D-CA2C-60FA-630B-00000000E601}47282624C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031501Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:06.475{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031555Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:07.975{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC96B8CA0AB8A75D325F130C5E9ECCF9,SHA256=3A334F19FC77FB70E49D61CF886DB53764865A6D537490048B6464D750D102F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031554Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:07.669{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57653-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001031553Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:07.669{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57653-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001031552Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:07.645{2E2BE06D-6DD8-60FA-0D00-00000000E601}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57652-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 354300x80000000000000001031551Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:07.645{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57652-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 354300x8000000000000000893973Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:40:57.182{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52741-false10.0.1.12-8000- 23542300x8000000000000000893972Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:07.010{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A661EE455383FEDAE32DFF1E760854B,SHA256=B711E3E7F7D1313BE44431FAE654EBBEA85063B92084B03E73B22E1F1DD96EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031550Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:07.475{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFB325EABBCA5F5068421EB9A06C0B35,SHA256=335993170807C7A8E92EB89E8F9910D080083521DB14541C86CF51154149B89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031549Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:07.475{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27DDDA9320418DAC9BB45140E0A83AFE,SHA256=AD0DDDC0B857DCB231C48386F7E2362DD135FD4DDA129292D7B8E61DB9AC911E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031548Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:07.348{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com3500-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001031568Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:08.975{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFB325EABBCA5F5068421EB9A06C0B35,SHA256=335993170807C7A8E92EB89E8F9910D080083521DB14541C86CF51154149B89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031567Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:08.725{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BBBED6A84042874EFFF59613C08829,SHA256=4B576BBEBFB893C1DB053778C8B70233EC05CCEB55731BDB8E25DEB9A11187EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893974Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:08.010{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC40BAD9E922676680E151C2D826E00E,SHA256=A2CD53C8842CC0462C483C84516D0537A5FD386708D07445F247BF3DB888D197,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031566Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:08.475{2E2BE06D-CA2C-60FA-630B-00000000E601}47284976C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001031565Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:08.475{2E2BE06D-CA2C-60FA-630B-00000000E601}47284976C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 354300x80000000000000001031564Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:07.685{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57654-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001031563Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:07.685{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57654-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 10341000x80000000000000001031562Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:08.460{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031561Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:08.460{2E2BE06D-CA2C-60FA-630B-00000000E601}47285920C:\Windows\Explorer.EXE{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031560Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:08.460{2E2BE06D-CA2C-60FA-630B-00000000E601}47285920C:\Windows\Explorer.EXE{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031559Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:08.460{2E2BE06D-CA2C-60FA-630B-00000000E601}47286420C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031558Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:08.460{2E2BE06D-CA2C-60FA-630B-00000000E601}47286420C:\Windows\Explorer.EXE{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031557Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:08.460{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031556Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:08.444{2E2BE06D-CA2B-60FA-5D0B-00000000E601}43204564C:\Windows\system32\taskhostw.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031569Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:09.741{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56592ECA7F9BBC4B863BC8225E2AE607,SHA256=09899EEF6EF47CF693A36835FC2951E7A1E5CF653784118A7A8DD7FEB1483932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893975Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:09.026{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DC7D1505DD056B1E4861D4E9F1A4E7,SHA256=2973B1D0BB76416C99E2186F3FAE06EEB1B8DBC290A73482A067D5114DB1C14E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031571Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:10.300{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57655-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031570Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:10.757{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E2816FD6337D59B85302D5CB48CD7A,SHA256=595B998007DD9F2BF4D23C4F24FB3833627EE4D3C0BE6195AF68CA51072B0492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893976Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:10.042{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6826A2B423C7BAF2E125DC7FEE03D46,SHA256=ACE55CBDFA83ACED24104462603219DBB0F96DD127B9BB907B56F907CF729ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031577Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:11.819{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1C9ABD727908BAC0D0C492F618A989,SHA256=7EE0E2B6E1BCD8D3BB12C704D6B3555505C44673DC42AF41CF4BD3A25F4C1311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893977Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:11.057{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD304DF25DA0B1216DC6E8A8C4AA092,SHA256=F2F98AC6A73057E1FB9AE23BD8297185E5B31E25B0D55913AE52DE3358E5737E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031576Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:11.147{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031575Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:11.147{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031574Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:11.147{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031573Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:11.147{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031572Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:11.102{2E2BE06D-7527-60FE-BE79-00000000E601}4128C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc" C:\Users\Administrator\ATTACKRANGE\Administrator{2E2BE06D-CA2A-60FA-99E8-600000000000}0x60e8992HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001031584Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:12.866{2E2BE06D-7527-60FE-BE79-00000000E601}4128ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\T9Y2J1PJ\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031583Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:12.850{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD234934D8A07EAD937EC9461F0EBCD6,SHA256=5AA41A69DFE28217935D9BE8EB980EF03AB49A254CE500E701EBFFCF72ADC2BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893979Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:03.073{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52742-false10.0.1.12-8000- 23542300x8000000000000000893978Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:12.073{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EFE62D69BB796A04A8FF14E0FD3158,SHA256=6FC1C1FF6436DAFCB3E87424EE64EC7E43938A59998F3FD87C880475152EFE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031582Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:12.225{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C53C911DEF14E0B87D003EE4D54DCDEF,SHA256=7659F9F994066226495E1860F558C86CD22857A5041D3BE5A408019EA286EAF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031581Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:12.053{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001031580Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:12.053{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001031579Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:12.053{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001031578Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:12.053{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001031595Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:13.883{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6FE70FC982546186522A5812A598052,SHA256=EE5C871CF473828921FA160A26531BD942764D4FE3150DF2706C01925BA7C179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031594Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:13.852{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B488CDD8697D5B711AAC94DC9C956255,SHA256=20F1205A078634BA6AA02BB0888088D655D6C7E324A3606FA5B1C9A2E3A66BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893980Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:13.088{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37422B659CF9FF62A905EF180071E08,SHA256=2E333B8A4F0A1061A7146F0412B7FF7087A68DC2761D9F3A973F573E0E11FA6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031593Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:13.789{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001031592Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:13.789{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001031591Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:13.789{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001031590Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:13.789{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001031589Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:13.789{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441904C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001031588Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:13.789{2E2BE06D-CA2B-60FA-5A0B-00000000E601}42203868C:\Windows\system32\sihost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031587Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:13.742{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001031586Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:13.742{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001031585Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:13.742{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-CA36-60FA-730B-00000000E601}712C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x80000000000000001031602Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:13.701{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.69unn-212-102-35-69.cdn77.com59092-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001031601Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:14.883{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E82BD7255AC5FBF405C099D43B2A74,SHA256=CBCAB9DC3469E32FE68ABCE3060E2CEFDF7DF4546A3D57B8D6505C7615C6E0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893981Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:14.104{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78CBEEC8CA2D91819E014F3FB83A2587,SHA256=62295ED90A0F5FCE0E48C5BB9D8D20F4EF7C8F4797CC4463C77C3D3721E6D092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031600Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:14.164{2E2BE06D-CA2B-60FA-5D0B-00000000E601}4320ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VQOB2FBZ\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031599Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:14.164{2E2BE06D-7527-60FE-BE79-00000000E601}4128ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\T9Y2J1PJ\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031598Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:14.148{2E2BE06D-CA2B-60FA-5D0B-00000000E601}4320ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\T9Y2J1PJ\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031597Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:14.148{2E2BE06D-7527-60FE-BE79-00000000E601}4128ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\3NEM2CS6\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031596Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:14.133{2E2BE06D-7527-60FE-BE79-00000000E601}4128ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\VQOB2FBZ\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031604Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:15.379{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57656-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031603Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:15.914{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF12AC910281C74122A9B83AC713009,SHA256=511EE545DC3EC2CBAC2DB61465F215FD57A6C9899A1441706AB3E1E8FADBD88D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893982Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:15.104{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4679AD5EC9C69825290585D1FAEB0CDC,SHA256=3FCA97A3EE82CE39BA72BB1C53994052CE4E77E4EC1E0E2A3503E91A0DA64D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031605Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:16.930{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B582FCDAE61CC218F8BAE899DEC97C5E,SHA256=6E5417B31E7D26615799287A57CDFB0277651EC09BDAF01E9B2D8991915C242F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893983Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:16.120{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECB68F8A057BEEB6B425ABE54E57CE5,SHA256=599CC691862D61BA8E06D74FC10BA3B0D0470A6FA0A1A80949869F300A60F8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031607Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:17.945{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9FF779BF7E8A6364EB91FB129E632C19,SHA256=B3A4EB92D423E5F5E4B8C2A38EB5E20308B446B8D298C7EA47F1381830FAD13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031606Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:17.930{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A33E6367735B8CEE5C30E8B622D958D,SHA256=140BF93EDAC5E8B21CAEE7426B0BB3C7C38986A81DC4A36944A77468A789937C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893984Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:17.135{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0F7C704B950F858A85D9C91F4DCDF0,SHA256=F034B6BC4483A4B44B45799B4AC47B6A318026F704CD614B13528E168CA9DADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031608Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:18.945{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E844C9281A61DDDB9F8BC339C37DD3,SHA256=83CB97DEF559D396410902973447C7CA0EC69B6221DB129BC00CF8EE5C415F9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893986Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:08.229{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52743-false10.0.1.12-8000- 23542300x8000000000000000893985Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:18.135{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA6C3A27D3EA962841F5E8EDDDD8868,SHA256=9518AFF52E4B077EB544007D461FE1846D1F827614FCF8885142D98CA4E6D73B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001031611Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.localT1037,T14842021-07-26 08:41:19.570{2E2BE06D-7527-60FE-BE79-00000000E601}4128C:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Scripts\Shutdown2021-07-26 08:41:19.570 11241100x80000000000000001031610Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.localT1037,T14842021-07-26 08:41:19.570{2E2BE06D-7527-60FE-BE79-00000000E601}4128C:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Scripts\Startup2021-07-26 08:41:19.570 11241100x80000000000000001031609Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.localT1037,T14842021-07-26 08:41:19.570{2E2BE06D-7527-60FE-BE79-00000000E601}4128C:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Scripts2021-07-26 08:41:19.570 23542300x8000000000000000893987Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:19.151{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB11DE737DDC401E320D01D51D2CECB,SHA256=C2EC71B03E52A9FA1A992FDD80AF796397AD94AB933EAEC8376B8A4009813DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031612Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:20.023{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861A626A6EEC18FB14C4AC6E1D29EF6F,SHA256=E2888F118149F0A10FC50E83B61A55EF1FB52D512727919C7E322F806A0B238F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893988Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:20.167{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2942FD6F73E06EE7A2AC022357A197D7,SHA256=521DF91C06FE166D141E73854025C11C53ACB99E3B7F2BDDA8758A4C57D0AD32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893989Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:21.182{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E965398EC5973FAF10AF7C50DA4821,SHA256=D0F3FE24C39458B8F8434D433062922C34D4B1C2DA4D9AFF1460DEEEDC74BC1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031614Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:21.207{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57657-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031613Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:21.086{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114371C302DC82F43C631A729FDA71B6,SHA256=4F54582EF7DF68899C52C47BA3B206B6532D13D7C382ADC77E3BAEBB85E28EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893990Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:22.198{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDA1E43601911C82A6AC74E99F4E4E5,SHA256=B034ABD53FC6A84D31DDC8CF718B2E888341B06269402C75AEB0575AD62C0588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031617Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:22.773{2E2BE06D-7527-60FE-BE79-00000000E601}4128ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-56.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001031616Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:22.680{2E2BE06D-7527-60FE-BE79-00000000E601}4128C:\Windows\System32\mmc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x80000000000000001031615Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:22.102{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4897F5DFECE57AB9B68DAC9F1992455,SHA256=1FFD217EB2CD93D9D02C609874368431AFDA505CE48DCFD009DB2A5D7CD4D89E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031620Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:23.793{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57658-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001031619Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:23.792{2E2BE06D-7527-60FE-BE79-00000000E601}4128C:\Windows\System32\mmc.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-56.attackrange.local57658-false10.0.1.14win-dc-56.attackrange.local389ldap 23542300x80000000000000001031618Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:23.102{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85B4DC26FBE4287C56DE4A1C8F12EA8,SHA256=A757757CEBC7D1E54FE8D01EA87969273162C73C3266D40CE87B5F20BF80C699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893994Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:23.213{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CE54D4F02A3E9E1570D351A6757BD5,SHA256=4ADB8F74AB2FBBEBAEE634617E893460DC2ECB47CDD7FD96DAE52E64C9CDB872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893993Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:23.151{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FC54164F13B858B7227417F5CA63B24,SHA256=DE9317287B6E95D93D7437F9FCFC30CD054E94EC6BAF9A1DFBF1CF7D427070B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893992Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:23.151{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED8B5D921AA65CE01AF4B0475CB7F12B,SHA256=1E6E88A76445DD51BA9A1645652D3A8201A37ED891635B1E1821F50034353E98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893991Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:13.195{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net51207-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893996Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:24.214{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90E425A01B5BBB99426C156F73E5B3C,SHA256=D38184E8D8D5142E3A80F7FEDFB95D19FA7690EF05078108FB60EAFA60D5AF1D,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001031622Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:23.817{2E2BE06D-7527-60FE-BE79-00000000E601}4128win-dc-56.attackrange.local0fe80::90d2:7368:bb37:9ac5;::ffff:10.0.1.14;C:\Windows\System32\mmc.exe 23542300x80000000000000001031621Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:24.117{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42FE5628D09DE69460D5406AE33CA570,SHA256=EBDE74DD730E736732EDACBD84D521CE45A7A577171CCFAEEE82C87856B26048,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893995Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:14.167{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52744-false10.0.1.12-8000- 23542300x8000000000000000893997Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:25.229{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED8056CA2B81E737824F0D5228377065,SHA256=0B9EA3737DAAF0465741BC76F8D1ED29A6BCD0FD3AB86334A17FDD7DC2406F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031660Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.383{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031659Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.227{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BAF32EAEF6020A4A2625F32E524D8C,SHA256=7ABB143A78F487C90CFAC9EC6F8ACEF487B1693660760AA26D964C12F67B681B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031658Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.148{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+5340e|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9dd2c|C:\Windows\System32\ieframe.dll+9dbd4|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0|C:\Windows\System32\mshtml.dll+1382e7 10341000x80000000000000001031657Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.148{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53378|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9dd2c|C:\Windows\System32\ieframe.dll+9dbd4|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0|C:\Windows\System32\mshtml.dll+1382e7 10341000x80000000000000001031656Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9dd2c|C:\Windows\System32\ieframe.dll+9dbd4|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8 10341000x80000000000000001031655Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9dd2c|C:\Windows\System32\ieframe.dll+9dbd4|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d 10341000x80000000000000001031654Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+5340e|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9dccc|C:\Windows\System32\ieframe.dll+9dbd4|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0|C:\Windows\System32\mshtml.dll+1382e7 10341000x80000000000000001031653Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53378|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9dccc|C:\Windows\System32\ieframe.dll+9dbd4|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0|C:\Windows\System32\mshtml.dll+1382e7 10341000x80000000000000001031652Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9dccc|C:\Windows\System32\ieframe.dll+9dbd4|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8 10341000x80000000000000001031651Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9dccc|C:\Windows\System32\ieframe.dll+9dbd4|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d 10341000x80000000000000001031650Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+5340e|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9dbc5|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0|C:\Windows\System32\mshtml.dll+1382e7|C:\Windows\System32\mshtml.dll+84321 10341000x80000000000000001031649Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53378|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9dbc5|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0|C:\Windows\System32\mshtml.dll+1382e7|C:\Windows\System32\mshtml.dll+84321 10341000x80000000000000001031648Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9dbc5|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d 10341000x80000000000000001031647Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9dbc5|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208 10341000x80000000000000001031646Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+5340e|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9db8a|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0|C:\Windows\System32\mshtml.dll+1382e7|C:\Windows\System32\mshtml.dll+84321 10341000x80000000000000001031645Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53378|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9db8a|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0|C:\Windows\System32\mshtml.dll+1382e7|C:\Windows\System32\mshtml.dll+84321 10341000x80000000000000001031644Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9db8a|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d 10341000x80000000000000001031643Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9db8a|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208 10341000x80000000000000001031642Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+5340e|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9db4f|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0|C:\Windows\System32\mshtml.dll+1382e7|C:\Windows\System32\mshtml.dll+84321 10341000x80000000000000001031641Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53378|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9db4f|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0|C:\Windows\System32\mshtml.dll+1382e7|C:\Windows\System32\mshtml.dll+84321 10341000x80000000000000001031640Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9db4f|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d 10341000x80000000000000001031639Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.133{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+9db4f|C:\Windows\System32\ieframe.dll+9d817|C:\Windows\System32\ieframe.dll+9d73c|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208 23542300x80000000000000001031638Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40091433EEC75F22F8442566804807F,SHA256=8DFB6C76F0BA337B6759A112126924C5513CC7E210888F456E847F802CA3267E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031637Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+5340e|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+13f498|C:\Windows\System32\ieframe.dll+13ef88|C:\Windows\System32\ieframe.dll+18d851|C:\Windows\System32\ieframe.dll+9d3e4|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0 10341000x80000000000000001031636Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53378|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+13f498|C:\Windows\System32\ieframe.dll+13ef88|C:\Windows\System32\ieframe.dll+18d851|C:\Windows\System32\ieframe.dll+9d3e4|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0 10341000x80000000000000001031635Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+13f498|C:\Windows\System32\ieframe.dll+13ef88|C:\Windows\System32\ieframe.dll+18d851|C:\Windows\System32\ieframe.dll+9d3e4|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437 10341000x80000000000000001031634Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+13f498|C:\Windows\System32\ieframe.dll+13ef88|C:\Windows\System32\ieframe.dll+18d851|C:\Windows\System32\ieframe.dll+9d3e4|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8 10341000x80000000000000001031633Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+5340e|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+13f483|C:\Windows\System32\ieframe.dll+13ef88|C:\Windows\System32\ieframe.dll+18d851|C:\Windows\System32\ieframe.dll+9d3e4|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0 10341000x80000000000000001031632Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53378|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+13f483|C:\Windows\System32\ieframe.dll+13ef88|C:\Windows\System32\ieframe.dll+18d851|C:\Windows\System32\ieframe.dll+9d3e4|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0 10341000x80000000000000001031631Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+13f483|C:\Windows\System32\ieframe.dll+13ef88|C:\Windows\System32\ieframe.dll+18d851|C:\Windows\System32\ieframe.dll+9d3e4|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437 10341000x80000000000000001031630Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+13f483|C:\Windows\System32\ieframe.dll+13ef88|C:\Windows\System32\ieframe.dll+18d851|C:\Windows\System32\ieframe.dll+9d3e4|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8 10341000x80000000000000001031629Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+5340e|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+13f483|C:\Windows\System32\ieframe.dll+13f386|C:\Windows\System32\ieframe.dll+9d46f|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0|C:\Windows\System32\mshtml.dll+1382e7 10341000x80000000000000001031628Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53378|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+13f483|C:\Windows\System32\ieframe.dll+13f386|C:\Windows\System32\ieframe.dll+9d46f|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d|C:\Windows\System32\mshtml.dll+137208|C:\Windows\System32\mshtml.dll+139dd0|C:\Windows\System32\mshtml.dll+1382e7 10341000x80000000000000001031627Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+13f483|C:\Windows\System32\ieframe.dll+13f386|C:\Windows\System32\ieframe.dll+9d46f|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8 10341000x80000000000000001031626Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\System32\ieframe.dll+13f483|C:\Windows\System32\ieframe.dll+13f386|C:\Windows\System32\ieframe.dll+9d46f|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8|C:\Windows\System32\mshtml.dll+13b97d 10341000x80000000000000001031625Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6497|C:\Windows\System32\SHCORE.DLL+6387|C:\Windows\System32\SHCORE.DLL+62fd|C:\Windows\System32\SHCORE.DLL+620a|C:\Windows\System32\SHELL32.dll+d158a|C:\Windows\System32\SHELL32.dll+84a04|C:\Windows\System32\SHELL32.dll+84658|C:\Windows\System32\ieframe.dll+13f483|C:\Windows\System32\ieframe.dll+13f386|C:\Windows\System32\ieframe.dll+9d46f|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8 10341000x80000000000000001031624Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+d1578|C:\Windows\System32\SHELL32.dll+84a04|C:\Windows\System32\SHELL32.dll+84658|C:\Windows\System32\ieframe.dll+13f483|C:\Windows\System32\ieframe.dll+13f386|C:\Windows\System32\ieframe.dll+9d46f|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437 10341000x80000000000000001031623Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:25.117{2E2BE06D-7527-60FE-BE79-00000000E601}41286280C:\Windows\system32\mmc.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+d1578|C:\Windows\System32\SHELL32.dll+84a04|C:\Windows\System32\SHELL32.dll+84658|C:\Windows\System32\ieframe.dll+13f483|C:\Windows\System32\ieframe.dll+13f386|C:\Windows\System32\ieframe.dll+9d46f|C:\Windows\System32\ieframe.dll+9d713|C:\Windows\System32\ieframe.dll+63265|C:\Windows\System32\ieframe.dll+62fca|C:\Windows\System32\ieframe.dll+60659|C:\Windows\System32\ieframe.dll+ca868|C:\Windows\System32\ieframe.dll+11b613|C:\Windows\System32\ieframe.dll+a918c|C:\Windows\System32\ieframe.dll+a972c|C:\Windows\System32\ieframe.dll+a951d|C:\Windows\System32\ieframe.dll+a9437|C:\Windows\System32\mshtml.dll+13c0b8 23542300x8000000000000000893998Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:26.245{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85D4C2468F16D04A2C03D112769BB88,SHA256=B38FCF11E39734E7755E667C60DFF8B6F8CB18D1C87B80F6792C2368192D565E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031661Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:26.227{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20304A63430C8A0B7C9576C3EB13B510,SHA256=28E63C251CF3E8C0807BFA6A24A03DF521F8F514742655653A1EA82BD8726624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031664Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:27.242{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D777FA14CFB89BC4900591305E36953,SHA256=2774ACC26A7A7A4E9470AF35FA98DBF4DCA401F56A69DE4CEC3C59627B8DA9EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000894022Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.948{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7537-60FE-2779-00000000E701}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894021Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.932{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894020Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.932{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894019Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.932{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894018Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.932{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894017Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.932{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894016Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.932{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894015Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.932{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894014Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.932{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894013Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.932{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894012Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.932{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7537-60FE-2779-00000000E701}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894011Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.932{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7537-60FE-2779-00000000E701}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894010Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.933{D94AFF6C-7537-60FE-2779-00000000E701}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000894009Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:27.245{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022F888F674A7E16DDA8D033E7CE3E5E,SHA256=20607EEE2DAED0F480602F49CECB9DCB5E05FFEAE835A5C21E61D5646B6DFA86,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000894008Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:41:27.213{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000894007Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:41:27.213{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fbcb741) 13241300x8000000000000000894006Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:41:27.213{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781f1-0xa24e3704) 13241300x8000000000000000894005Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:41:27.213{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781fa-0x04129f04) 13241300x8000000000000000894004Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:41:27.213{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78202-0x65d70704) 13241300x8000000000000000894003Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:41:27.213{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000894002Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:41:27.213{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fbcb741) 13241300x8000000000000000894001Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:41:27.213{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781f1-0xa24e3704) 13241300x8000000000000000894000Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:41:27.213{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781fa-0x04129f04) 13241300x8000000000000000893999Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:41:27.213{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78202-0x65d70704) 354300x80000000000000001031663Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:26.504{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57660-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001031662Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:26.333{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57659-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031665Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:28.258{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1412FED2CF1504A2DF7F67E8CF5CDD,SHA256=C8FE3884507E0EBCF47B858F0E15C4BF2341CB532F9087907953D617C35092B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894039Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.995{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B1262FD259E5E9EA90F63C53B0C7CB,SHA256=6B08AC4A2492A1652516304D5BD62C1B3ED5F1E3F4AF8D7C2108A7032F51BC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894038Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.995{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FC54164F13B858B7227417F5CA63B24,SHA256=DE9317287B6E95D93D7437F9FCFC30CD054E94EC6BAF9A1DFBF1CF7D427070B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000894037Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.620{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7538-60FE-2879-00000000E701}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894036Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.604{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894035Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.604{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894034Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.604{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894033Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.604{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894032Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.604{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894031Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.604{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894030Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.604{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894029Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.604{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894028Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.604{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894027Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.604{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-7538-60FE-2879-00000000E701}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894026Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.604{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7538-60FE-2879-00000000E701}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894025Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.605{D94AFF6C-7538-60FE-2879-00000000E701}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000894024Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:19.229{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52745-false10.0.1.12-8000- 23542300x8000000000000000894023Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:28.260{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1686395FDA57B403C6D9F23BA70100,SHA256=E6ED3650D490DAD6D69C22539ACAC279D0377227F8DEF6CAC0FA1EFCCCA96119,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000894067Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.963{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7539-60FE-2A79-00000000E701}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894066Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894065Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894064Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894063Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894062Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.948{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894061Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.948{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894060Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.948{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894059Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.948{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894058Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.948{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894057Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.948{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-7539-60FE-2A79-00000000E701}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894056Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.948{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7539-60FE-2A79-00000000E701}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894055Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.949{D94AFF6C-7539-60FE-2A79-00000000E701}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000894054Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.417{D94AFF6C-7539-60FE-2979-00000000E701}32882648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894053Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.292{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7539-60FE-2979-00000000E701}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894052Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.276{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894051Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.276{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894050Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.276{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894049Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.276{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894048Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.276{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894047Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.276{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894046Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.276{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894045Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.276{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894044Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.276{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-7539-60FE-2979-00000000E701}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894043Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.276{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894042Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.276{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7539-60FE-2979-00000000E701}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894041Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.277{D94AFF6C-7539-60FE-2979-00000000E701}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000894040Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:29.276{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9866D36C68CD07F545E267C99B0EE53,SHA256=95E3BF37F5A68F97E59E33E658927170E1639EF1A479FB08642B2F13376ECC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031666Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:29.333{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B10EDEDF9376242FA0F24492BD56B4CE,SHA256=0EF75CEB27AA6126F132947321B6A4F0EA4BC761E6F6103A25D2993D03BEA1CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894069Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:30.620{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88147BB630CA01B8B4D00EB18A56B58,SHA256=BC6DDC9CF650EB5C4C5FE4BCE0D46CB8DEFF6456C6A7DD552240A306377EC550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894068Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:30.292{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B1262FD259E5E9EA90F63C53B0C7CB,SHA256=6B08AC4A2492A1652516304D5BD62C1B3ED5F1E3F4AF8D7C2108A7032F51BC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031667Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:30.336{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB4840E9C1C83DCD939D318360B42B6,SHA256=795A9BEA56C111F492DB1189CBAB87A98FAB283C18CF88480A10E8E9D0E54F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894070Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:31.385{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F893107853A69BB74FCB8CBC270D6CCB,SHA256=2895B4E28F37719178636D27A00E3AA5B44587DD057BBB2577E6E1C87C549BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031668Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:31.383{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE56AEDAA04AFD09F36D4820D29EC572,SHA256=0A4BB5BD5E29BCFC2AF2643BC5D8CBB61D4AACE119A20E2D64311AF985ECA467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894071Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:32.526{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA36F83A64486411C38FC87BCF2A9BC,SHA256=8CCFA9C78A6531F4AB3D7553206E2B793F3101875E75D66439E19F0D72F2A9FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031669Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:32.414{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7BFA8867D39B79B963D73FD4886FF9,SHA256=23C1A3D5A86A38CDA53E850D5F43BFD64838DC89F0D3F7F236EF8A07227BDBA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894072Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:33.745{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13C1B0785FFD605D2215ACE1198785F,SHA256=C892CCE305C7E98A8B8844288E999E20D12A7C27DC7FAF828D62E76236D92220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031673Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:33.414{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E8E567911E06EBA4501AABE14F5EEF,SHA256=A4D6DE176D001398CE722928194DD26A39E373CF9175B254EE797CBDBDE5AE03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031672Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:32.222{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57661-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001031671Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:33.008{2E2BE06D-6DD6-60FA-0B00-00000000E601}6364304C:\Windows\system32\lsass.exe{2E2BE06D-6DD3-60FA-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 17141700x80000000000000001031670Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-CreatePipe2021-07-26 08:41:33.008{2E2BE06D-6DD6-60FA-0A00-00000000E601}628\scerpcC:\Windows\system32\services.exe 23542300x8000000000000000894073Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:34.979{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F9280966F07BD6FA72B570B206BC1A,SHA256=E3BBBCDB075A71FA60ED94EC6B96102F8C42DF7AFF7A513C6380AFB80CBBDD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031680Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:34.461{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB964FC867ED70BF69242F9DE8C6AD0,SHA256=D24FBA6ED36FDFB61DB03B4EE0FE9420C085E1A26DB107175DFB58F179B22326,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031679Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:34.152{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57662-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001031678Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:34.152{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57662-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 23542300x80000000000000001031677Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:34.039{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4078DDAF0C18C2DD7C1823198E31B5C5,SHA256=69241D784A2CA6EFAB7B2BD9EB6D4712DD657630BB94EF9FCDBA2724E66F1A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031676Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:34.039{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4896131CEF54C0EC170AB8752A4A443E,SHA256=EA3A92FCB1C36FF5B48545E8180A896E97C11268F92A9B962CFB27A14E769755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031675Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:34.039{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=709CE67CAEFA6A1E327C21D493B26641,SHA256=8F8F7C25C4D4EB69F996FBE3C26C0D9A677528EDF49A852380D9C4FF4B672895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031674Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:34.039{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D458FC730ACFBA1EB1EC82EBFAC9B1DE,SHA256=0DD84864B3C7FD7BEB82952AAEE0C49FF88671A074E548466C8E8844080AACA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031681Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:35.539{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6E516496F6CF0A25D5F87A08A43A82,SHA256=D55DD07CB1990D9147827D0F23F069E4E8E0D513B8D2C4D7900265CAC83EC316,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894088Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:25.119{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52746-false10.0.1.12-8000- 10341000x8000000000000000894087Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.588{D94AFF6C-753F-60FE-2B79-00000000E701}1488720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894086Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.479{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-753F-60FE-2B79-00000000E701}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894085Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.479{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894084Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.479{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894083Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.464{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894082Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.464{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894081Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.464{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894080Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.464{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894079Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.464{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894078Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.464{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894077Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.464{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894076Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.464{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-753F-60FE-2B79-00000000E701}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894075Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.464{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-753F-60FE-2B79-00000000E701}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894074Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:35.464{D94AFF6C-753F-60FE-2B79-00000000E701}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031682Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:36.539{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB822AC5FD69E582AA21A47639A36992,SHA256=1FCAE8B887F940E8AFB9413F52BD30FF2155F3133C6561DEF3D5A29E2C6EC3A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894091Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:36.542{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58D1A01163330EEF36AA1B07BADBD4A1,SHA256=BCB13058B63AB7DCAE665E2E3F27BA56F8DD6A9EAA23619BDBE7E1B0E566BF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894090Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:36.542{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=691B1CEF06C2852EE749FE1CB71EBAE9,SHA256=819ED7156FA10A499D4619BCBDB730F9CA960D350417F758E44FB9DF4D981227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894089Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:36.120{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=633B5846B4E9C5BB800BD8D4EEE01366,SHA256=143D55588C7D97D6F2BAA9F92389C7035D9B000BE3F181B17CF1B579F5738763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031683Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:37.554{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8CB71B6202729A69523C657BCADEF0,SHA256=D8741732D22B95F06A3DE7DF4DA7FF7BD731D42DCA174CD86466C1F82CE05BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894092Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:37.229{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F17D5788D63FFB885B3495B9EC109B,SHA256=5F622C321B7988AC43349615EAC4914A2B2668AAF6093D5F29F7AC6F85BD137C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031685Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:38.773{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C412D529926A1E46EC2DDF06416B9DA,SHA256=B9A63C9C68026548464D84F988B1FDBEB3B2A265C6F5E17F4E8603788FEA6DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894093Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:38.385{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9063AC2E0F122D8AE0D80B6D4969F7,SHA256=8F9DFD4F696361AE1ED69B67EC68663FE0BB3E54C333CCA0A88162E34E8E10CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031684Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:37.332{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57663-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031686Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:39.773{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ECBF0C80C80E21A066B95813C72CFCF,SHA256=9A57E141BBEB654E7E58C978D96C190D4D05FBEA08A288F954006C0E832BEB0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000894108Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.573{D94AFF6C-7543-60FE-2C79-00000000E701}28724008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894107Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.448{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7543-60FE-2C79-00000000E701}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894106Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.448{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894105Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.448{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894104Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.432{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894103Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.432{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894102Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.432{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894101Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.432{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894100Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.432{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894099Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.432{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894098Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.432{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894097Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.432{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-7543-60FE-2C79-00000000E701}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894096Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.432{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7543-60FE-2C79-00000000E701}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894095Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.433{D94AFF6C-7543-60FE-2C79-00000000E701}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000894094Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:39.401{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F2DE67E45B56860B267927227A5F02,SHA256=E138606C5DF6F4943AA6A6DAF632D117EB459A5829948F01835E3EA57568870C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894124Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.714{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58D1A01163330EEF36AA1B07BADBD4A1,SHA256=BCB13058B63AB7DCAE665E2E3F27BA56F8DD6A9EAA23619BDBE7E1B0E566BF23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894123Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.714{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B0F6CC655EAD17F5F42E7B5D2A3C75,SHA256=8944C2C0945EE00E9DFF3CD6673F52AAD8342D0E423D93F1E69734649FB1643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031687Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:40.789{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312DFCD459C40FD6AB266CC702E03F73,SHA256=3D499A96FD5081993429E05EB86C56ADDFD56D8FD025EF2C0B1FB04BD2CAA5B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000894122Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.229{D94AFF6C-7544-60FE-2D79-00000000E701}31283920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894121Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.120{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7544-60FE-2D79-00000000E701}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894120Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.104{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894119Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.104{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894118Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.104{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894117Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.104{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894116Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.104{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894115Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.104{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894114Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.104{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894113Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.104{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894112Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.104{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894111Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.104{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-7544-60FE-2D79-00000000E701}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894110Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.104{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7544-60FE-2D79-00000000E701}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894109Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:40.105{D94AFF6C-7544-60FE-2D79-00000000E701}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000894126Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:41.964{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF253BF63E39AD3547EF01BB57899684,SHA256=B829C923F7196CAD7B610616C2E292B1A7FCACD2D1C84D09CA7E55A8BEC47ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031688Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:41.789{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B64B627E42D300ECF21C258CD8562A4,SHA256=2DEC1510618602BF3BED9079F0B8853BF82181CCB01130D03D8475FF273588C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894125Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:31.057{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52747-false10.0.1.12-8000- 23542300x80000000000000001031690Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:42.804{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E47404068B2EEB4A46CC54DF8993F7E,SHA256=4BB93F7E073EB0525822B03CE1003915146E0ED787E1C4324152096E167D1468,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031689Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:42.398{2E2BE06D-6DD6-60FA-0B00-00000000E601}6364400C:\Windows\system32\lsass.exe{2E2BE06D-6DD3-60FA-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001031694Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.820{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5E4CBE70627FA718DE88534DBBA31D,SHA256=E4AAB02D8595289D796649EA2C7B913B43020BB9B30372578D50BF14739C3444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894127Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:43.057{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BDFB34B4DC2C7215A99D1D5BC66D1B,SHA256=117D016A660CB90F6643717C28D2AE39D8B2B0FD70998A95303606370B9B8375,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031693Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.301{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57664-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031692Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.367{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6703F76320458F2EF479ADF38428C6F,SHA256=A81E73AFA789220121C9273D370B22F74A7D7E8931EAC2CDA7C26C46DFC9337F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031691Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.367{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4078DDAF0C18C2DD7C1823198E31B5C5,SHA256=69241D784A2CA6EFAB7B2BD9EB6D4712DD657630BB94EF9FCDBA2724E66F1A78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031723Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.945{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7548-60FE-C079-00000000E601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031722Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.929{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031721Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.929{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031720Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.929{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031719Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.929{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031718Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.929{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-7548-60FE-C079-00000000E601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031717Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.929{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7548-60FE-C079-00000000E601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031716Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.774{2E2BE06D-7548-60FE-C079-00000000E601}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031715Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.820{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC1BDD1824A139325798C3A36425F3D,SHA256=0DD40BA98515F504BFA0B15D522F57C9548B0A5F977C673E99C9DC828AC7D01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894128Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:44.292{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA36AC1661DCB6BFAE1C1E8896815B4,SHA256=AA679E089E89C465410837C0EA8A29303A3D1C5258F0417E767957DC56745F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031714Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.773{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6703F76320458F2EF479ADF38428C6F,SHA256=A81E73AFA789220121C9273D370B22F74A7D7E8931EAC2CDA7C26C46DFC9337F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031713Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.570{2E2BE06D-7547-60FE-BF79-00000000E601}33326912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001031712Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.544{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57669-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001031711Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.544{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57669-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001031710Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.541{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57668-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local49666- 354300x80000000000000001031709Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.541{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57668-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local49666- 354300x80000000000000001031708Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.540{2E2BE06D-6DD8-60FA-0D00-00000000E601}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57667-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 354300x80000000000000001031707Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.540{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57667-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 354300x80000000000000001031706Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.439{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57666-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001031705Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.439{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57666-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001031704Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.430{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57665-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001031703Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.429{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57665-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 10341000x80000000000000001031702Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.117{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7547-60FE-BF79-00000000E601}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031701Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.101{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031700Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.101{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031699Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.101{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031698Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.101{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031697Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.101{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-7547-60FE-BF79-00000000E601}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031696Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:44.101{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7547-60FE-BF79-00000000E601}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031695Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:43.869{2E2BE06D-7547-60FE-BF79-00000000E601}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031733Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:45.914{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DDCDEA50926ECE02AC1334A0D179CE,SHA256=219E39C8F3ED6F73524BD67E0B017537B64856826DCC8C1B319233EB23F00D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894130Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:45.510{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=397B053C2ABCF4226C9B1ACDEDD93B57,SHA256=9B9192BB4A77F78498D30B0A705C5105A011B67000F26EB999E14AB3DC75D76E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894129Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:45.307{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6B569C027B9C841E9A2F554CBC5442,SHA256=ECCDC19EA4BC45F15E168DB12FACE92050D16CCAF8D5A828A0CF463819D80ED8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031732Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:45.804{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7549-60FE-C179-00000000E601}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031731Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:45.804{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031730Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:45.804{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031729Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:45.804{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031728Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:45.804{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031727Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:45.804{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-7549-60FE-C179-00000000E601}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031726Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:45.804{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7549-60FE-C179-00000000E601}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031725Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:45.540{2E2BE06D-7549-60FE-C179-00000000E601}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031724Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:45.773{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC6EF742D6AF8F1F77B5B1EFEC2F5130,SHA256=5397011B29C56E192C6AA2435FFF9ECE7472ECCE349E4F223E1ACEDD7D5343A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031744Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:46.946{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4992397B531265F918BAD0DE5BACEEAC,SHA256=98C3CFB1FADCFDD3A3937C01CC93822BDAE688394B5D9EB8D57E5B3D06CA652C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031743Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:46.946{2E2BE06D-754A-60FE-C279-00000000E601}65684136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000894132Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:46.448{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656B4693EBD1C31E268EBD573DB34805,SHA256=ECBAE9B943C5FB9D69DA4B78526E083CB56F0FA68F44608844A5ED79641E38D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031742Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:46.601{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-754A-60FE-C279-00000000E601}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031741Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:46.601{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031740Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:46.601{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031739Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:46.587{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031738Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:46.587{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031737Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:46.587{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-754A-60FE-C279-00000000E601}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031736Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:46.587{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-754A-60FE-C279-00000000E601}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031735Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:46.431{2E2BE06D-754A-60FE-C279-00000000E601}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001031734Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:46.008{2E2BE06D-7549-60FE-C179-00000000E601}65886212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000894131Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:36.213{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52748-false10.0.1.12-8000- 23542300x80000000000000001031754Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:47.961{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57A46E73C2746F1ACCE5A2D8CB87D10,SHA256=BEB57725D22CBB6F160E15A44F415D3D1FE4688F2566422CEB894C103961726A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894133Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:47.667{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1D2CD5AA2CBB4D34AFF409B93B6144,SHA256=94DE30D8E25AAEE07920257862E48A63721ECFB25970664E728236F2D356E006,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031753Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:47.461{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-754B-60FE-C379-00000000E601}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031752Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:47.461{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031751Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:47.461{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031750Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:47.461{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031749Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:47.461{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031748Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:47.461{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-754B-60FE-C379-00000000E601}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031747Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:47.461{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-754B-60FE-C379-00000000E601}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031746Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:47.321{2E2BE06D-754B-60FE-C379-00000000E601}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031745Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:47.445{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22F7215AC9F5B329E45FAA2A589B5FB9,SHA256=CBFAB20692CCC07472DD23A2EEF1C560D12247B414EA92D219EB7B0FFEE15D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894134Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:48.729{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EAB597BB94CB10FACF37A4B8FE6850A,SHA256=023D4EB19647FC138ECC16E95FC36052542B10F175535001BECEFF62FD6B4BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031764Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:48.976{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E87AC6F7F9D4443AF6974EAD6E84F6,SHA256=2FB2CD1DE8E28EA59E1DF0E487DCDC2C70F1ACB61BBC07D98344A6E4ED8DF61A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031763Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:48.445{2E2BE06D-754C-60FE-C479-00000000E601}33125880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031762Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:48.242{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-754C-60FE-C479-00000000E601}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031761Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:48.226{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031760Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:48.226{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031759Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:48.226{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031758Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:48.226{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031757Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:48.226{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-754C-60FE-C479-00000000E601}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031756Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:48.226{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-754C-60FE-C479-00000000E601}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031755Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:48.212{2E2BE06D-754C-60FE-C479-00000000E601}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000894135Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:49.839{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCD3995F4EBECD8165EBC41C8824D8A,SHA256=A45DDE3966BCE815460929FE853A79015B90C2E4ECCD76DC075C5388FEFF895A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031767Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:49.992{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981FD381AAC710321C3046D95195B25F,SHA256=189FB551A05E93FEF52FE5E561F28C6B7804A4C4C45463EDD2C124C508FA7F97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031766Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:49.223{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57670-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031765Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:49.226{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A93B15AEDF667152F2E07D4539D0A67,SHA256=1A9019653BC895A66ECFE30A3385A2610C090EBF8B42EEFB26C4517A1C69DB31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894137Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:50.979{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D2093D16D4CABFB8D083697FB6E38D,SHA256=85E354EDF40D30D25FE9C9448C52EC427217C4B0CD4AA44E7CDC72DC2231F0CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031769Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:50.992{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340F6D08A658BCD87B2ACE4CF38515B3,SHA256=9DA6C62435C6A779A6C528C7402C3473ABB91E658E065DF5BDB16A303BEEACBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894136Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:50.557{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031768Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:50.679{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EB813DC587BDE9C636EA25866EE4525,SHA256=3DC814A2AD0BAFB843849CE7DA95732AE4FE440B4A3A8FDABC29C8EC942290C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894138Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:42.119{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52749-false10.0.1.12-8000- 354300x80000000000000001031771Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:50.770{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57671-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001031770Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:50.770{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57671-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001031781Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:52.898{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3ACF682516619DA72DB0CED0C8C016FD,SHA256=7A17A08F1441E9F625FDF517056F7417F85D8C3BE45DB54390CE48471FA1D5D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031780Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:52.117{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-754F-60FE-C579-00000000E601}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031779Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:52.117{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031778Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:52.117{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031777Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:52.117{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031776Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:52.117{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031775Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:52.117{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-754F-60FE-C579-00000000E601}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031774Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:52.117{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-754F-60FE-C579-00000000E601}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031773Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:51.884{2E2BE06D-754F-60FE-C579-00000000E601}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031772Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:52.008{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940DEAF2B3C8AA3913BB9C39D5FDAD57,SHA256=61DEBA46EDECD4C87BBE55E5AC9F8A3B264978D148EA0B95ADD10307CEDA6E83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894140Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:42.541{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52750-false10.0.1.12-8089- 23542300x8000000000000000894139Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:52.120{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8589C32BE57E19905B37A891F743A448,SHA256=1C13E996C88B6D3B3CE4D04364D2A7394AADEE5DD7C7AA5B6BAD39A4AC733606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031782Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:53.211{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B945535D3D8C481C0367EF739FF0A054,SHA256=5EA436C64280A2484DD19A6FD620091ECE7E958A4A29E3DBC5631BFF2A76D979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894141Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:53.167{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555C2E22B6B178DAC56265104DAB0478,SHA256=CD26947AAC563966EDDF0EA903A03355BC917BF54123044FAD444379FE91FBE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031785Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:54.316{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57672-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031784Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:54.476{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DF6A887D1C66AD5638EC337EE362A44,SHA256=973BA344FA55B99175969836F00147367D78F3E304138F6939063CBD096E5476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031783Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:54.242{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B83B42971F00DD2A997D0E040F8EDD,SHA256=77CB97AE41B51B6963377D5C0D256B63A178C53FC1DBEE02FABFD8BF8B140941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894142Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:54.198{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A761B063F8C41F6BF1810B9499D177B2,SHA256=EF2617023AB39A14852AF974051623F0934D21FCCD78824865A50E0D98D5E9F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031787Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:55.586{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9679B1B9B0E1E24C548BD70A237B2A78,SHA256=40632EEDA50E495CCA668894E2ADFB351EAA6586B34E729B077FA85DD3E842B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031786Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:55.242{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049EC0CB2983E0CE4463F65272B15E55,SHA256=A8CECAE6690147251AC1DD4A5BD262F86FF33BCCE20EF54B2E01D1A51588BAAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894143Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:55.229{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=973D110366E32D26E17150219794BC7F,SHA256=F8DF1C01A2288CEE1D9942102DD9573AA459B018114842250C6500000BC21FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894144Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:56.260{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0DFAC2F0FD69FE53B39E766130FFA6,SHA256=F25621A1E12C973C59FCEC642F4EFC13A66091290A0927E9434C31ABEDF35381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031788Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:56.273{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99D39A070E67CC9F6DDC568D6D63854,SHA256=09C6BDEA00794DE8E63A302D444847FD2FAC18D2930A891B60BAEE8C8467CA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031789Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:57.273{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BFDA75F46A411F6128D1BCD9EE7138,SHA256=F0751B8FA377C188DF7D038DBF0C4DD380A2F683E3474690E3BEB65D4666E63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894145Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:57.307{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D91000F764BC1556A4D09F1975A7ACA,SHA256=857F23844118A4265C5B4EA200C99FE520D6DD6D42F1DFA99974DAC918458A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894147Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:58.370{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07B153E8EBCFCB19FAA8CC5C7FB18C7,SHA256=CD57DAD3DEC123BE9359E75521985429AE1D65E7A91C7A9270173326E6B883AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031790Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:58.508{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5645295C70D5CBD240724AE557AB4AA7,SHA256=67A97276934EAB31E3FE8EE82A9AAD6775FF9160986D3918CDEA22521E8B7780,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894146Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:48.056{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52751-false10.0.1.12-8000- 13241300x80000000000000001031801Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:41:59.601{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001031800Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:41:59.601{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fbd6544) 13241300x80000000000000001031799Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:41:59.601{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781f1-0xb72c0b6f) 13241300x80000000000000001031798Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:41:59.601{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781fa-0x18f0736f) 13241300x80000000000000001031797Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:41:59.601{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78202-0x7ab4db6f) 13241300x80000000000000001031796Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:41:59.601{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001031795Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:41:59.601{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fbd6544) 13241300x80000000000000001031794Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:41:59.601{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781f1-0xb72c0b6f) 13241300x80000000000000001031793Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:41:59.601{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781fa-0x18f0736f) 13241300x80000000000000001031792Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:41:59.601{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78202-0x7ab4db6f) 23542300x80000000000000001031791Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:41:59.523{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFBC4F8DED333FC6B72B1958EC49A38,SHA256=9DA61867DDC43EDEF3A5781AC30C257926FB2DD900BA0BC3744279639310A7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894148Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:59.604{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608EEF4B68E5C8325EE8125B3575D1D0,SHA256=ED252EA4349DE888C058F3F281D4EB15041D66E284462557E2DE427E41E43642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031802Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:00.523{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D781E04AE6E75EE53411509265D0AB8,SHA256=68DD049FC75127DC75807EEEB2B5F881B8BAFDA791FFCDFBAA6ED04D83F4611D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894149Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:00.620{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D487C1195EF408C0D72CC82B1469B8B2,SHA256=09D8DE65F5E5DC2D9B0B57992B7736271F9650BF0B234A479948FAC89A605BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031804Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:01.758{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DEDB0D64394669252EB879C5BC2318,SHA256=8EA8665ADE7E910BC34389487E1048AA380EFF1D7FB2E66601B9B5103225E898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894150Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:01.651{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710E1D1F21C4243C1F316CFBDC4AFA9C,SHA256=C784676031675E43E1A89CEE3866621EE6B65E100F44AB38E6C85722C12B6046,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031803Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:00.191{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57673-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031805Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:02.883{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83F1418150E0E14E9CCC01A038AE3D4,SHA256=A2D81BDE2FECE9AE67AB971BBB3E09E084995887FEF91835B94FA85507D6DAC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894151Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:02.663{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A84AB7714327C8D4B56121166116663,SHA256=11738EE045BBF3085D6C39925CF900BF2F02738AE1AC3D91EAD0B6A8EE693972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031806Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:03.883{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A5EF8946DEF1311CB89476C3E37C23,SHA256=E0642FE726CF9D35C806FE0499BF542F8114E38FB63D2DFD3EE3CDD5C7A1B4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894154Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:03.664{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD1FCED2EBA94018A14DAD3B06A99AD,SHA256=CC8A3F23A52E8953909D008D1DBCD786649A31AE417EBFCCF00F51E1D12B4FFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894153Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:53.372{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse50.212.63.14-49962-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000894152Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:53.181{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52752-false10.0.1.12-8000- 23542300x80000000000000001031807Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:04.898{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2336701C1846A7B12F9FC3B5E9EF050F,SHA256=B74F9F199394B3EF29A9EED803930310DCB6A683B2B51E1E01F3DCE547988011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894155Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:04.680{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A40DD0E6F30F383AF2F64E21E2B34D,SHA256=6335B9F85172411A04E53DE73CBB1CE07465BE645E163B25AC32EB66E736E577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031809Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:05.914{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3007398EA5B8D1A41DD534B5C59F87F,SHA256=3CA6D3E5004861BD3372F92D4982800FC21F75C958C583D13AE756C0C0CA490C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894158Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:05.727{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0B45C98980EBB65AC2647C6F50F4E39,SHA256=FF31B0D03514B03973AE0F36EABE36ED9DB665DB7F42B333724B945E0209666C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894157Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:05.727{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF1038F3C7C8FF1FE7635C1D134CFC1,SHA256=53B9949B7C42AF4EF65416621DDEA8DFF7941BDC56461AF7F5C3288DF514DFDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894156Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:05.696{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1E198201C21CD67513DE988A933AF5,SHA256=0D6684EE7710C954051F6A0A1C64AAD8BEE5C8E4B89F24BAE7D5564FB8C6107D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031808Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:05.301{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57674-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031810Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:06.914{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF53665D298D78DC0E5F42EB842C14B1,SHA256=725B34CBCC619C45DE3EA5F55951F0D17B99EBD10D23CCBB1EA6A4F47C564B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894159Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:06.711{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C4CB34919D90EAD4B8A0B79E4CA18B,SHA256=232DD155713B265CDEAE557F9B9CEBBD8AF4A26C927F2259C8E65EC00599D33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031811Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:07.945{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1995AEE562480432ABE12ACBB20DB874,SHA256=6A99D1F2D11AEAC583516A8655E49166B454AD06A6385A349DC217CA7456EF04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894160Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:07.727{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E83A718FE87FB80ABF589405A34EF79,SHA256=A29F433873EF2945D56286201C46B1DF3320F62557CBFB4D665036E244458157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031812Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:08.976{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE0564CCF58C8202FADBD8B9BC7791D,SHA256=3267B44A997E87B66D6F25B27D6DB2780CD3949A3038A945CC4208EAC1413AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894161Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:08.743{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED019AA84E2034288F24E8568287C8B7,SHA256=4C3D45860A61A20A4FB81BF8B75787E9E433E347B822039C48B3966E90ED6076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031813Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:09.992{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81467691B1BEDCFD06E192F461CDE22,SHA256=DF51AB0DC5A81FD33DD8181B35DC379D7102D5F8BCC0CCE69BA98001FAA75BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894163Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:09.758{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F49AEF608C71D95D57B9CA3ED75E5EA,SHA256=57F7BCB235D180BA8FD97F63BB2A9C72F9B04C0E20379C1F77C2E084994400AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894162Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:41:59.116{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52753-false10.0.1.12-8000- 23542300x8000000000000000894164Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:10.789{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CB454A208ADE2E5A581355818AD9DC,SHA256=A7DAA63C414B131B8BBA1307B30F12086869D90B4709D7775E1D2E454FDD8D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894165Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:11.836{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF4E7A19A838E8C3B61C72B8E1AB921,SHA256=B7486BC361278736A1F35AD4B6D7252F7DE8E64DE9AB726EA48BB5DEB1E761D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031814Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:11.055{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA2D50402CE611578C821CB8883971CD,SHA256=C7AB79A6A6AD3E275A0DBE580C1B55988953721F1F27C6F81E5248E08B4D4E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894166Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:12.852{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2662BF67FAE890F91341620D127AB6E3,SHA256=015A87A98DB38DB392250B8C31CF13F2AB53B8CD4921588A20DB1DFB112520CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031816Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:12.101{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9F4AC08D59B46BF7B8C375B96392B9,SHA256=2552873C06E259B1C31C62921AAE74417ED0FE0E414E0D19B6940E0C68211485,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031815Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:11.255{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57675-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000894167Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:13.930{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8880371C5AAC81A8B55A681F83A329BE,SHA256=F8FA380A0F3CC9B7D78EFDFDA55C3A1E2002CE93E3962596A9359A2F56B27E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031817Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:13.117{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5029FBA10968BE9D3887AFE438D8C1,SHA256=42760BFD73A9C09639D652247EDD2329FE0D4058E54A4FE6538027A6C0CA77C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894168Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:14.961{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E0B6C6CE9925C6B3467108168CDF11,SHA256=56B2AC52539019A1E3B17E467D743F668F3A806D62F6C9E09BD2E5EDEC6EFF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031818Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:14.117{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3640D4C4825C8D47DDFE21732B45EA9F,SHA256=2FFC6D2961A54D2EFB1603A50AA45E07F52D1A6EA6FC6090B30CB003D6D599AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031819Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:15.117{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA73E8627BEAD2A26C02DDBE4E9DCA75,SHA256=C2052904B0AF3BA25422538B5A41CAAB5B39830977985FA515A2F0BE1C071187,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894169Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:05.069{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52754-false10.0.1.12-8000- 23542300x80000000000000001031820Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:16.133{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F469C149ADB467762F0E7D6FC93878F,SHA256=091E7ED85251983CC28AD5BE233BD947A4800C8B7C01CC0C1C2A1D9B63C55B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894170Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:16.055{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6960A0ACD169559A300360E787D56891,SHA256=BC2B73DAE30C032EE9E9A73DAEE4589E0A31B8E78C2B806C66A7A4D798378126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894171Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:17.071{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED6F4E8D13985E76B993A185104213C,SHA256=7AA4FE9570873AAAB7FB104270E1B8EEC446BBC2813AAC95B318C83CFF711EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031823Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:17.961{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4BB57109CD0D9C716611D7B96A2320E0,SHA256=C09F01DEA2549AD0A99EF786B543474594017A4F699030CC8893A358C7ABE1CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031822Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:16.363{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57676-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031821Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:17.133{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A478F4F183AA475517C69256F096173,SHA256=EDB296E29BC9ED2A908BDCBE0072DC88F3CD286F2F9468D496B0139779160934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894172Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:18.102{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81210F96DF382DA4D5D13C821E3D82BE,SHA256=9AFA87658DC14ADDBFEF7D1D4DE1BF38F40892640D960112FA112C2CBFC75F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031824Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:18.133{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B6A1C2939475FFC1C38E448C70E1B3,SHA256=D2BC50CDFEB49372AC89474F2F7D12FE676714ECCF768932314EED5D05869BC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031826Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:19.883{2E2BE06D-6DD6-60FA-0B00-00000000E601}6366964C:\Windows\system32\lsass.exe{2E2BE06D-6DD3-60FA-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001031825Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:19.133{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC7692569E9C62E74906AE937658A45,SHA256=413895AB4C1F464705393E04380E6D8EB19F9EE5C7FB098B04D00231C5584A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894173Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:19.196{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6456CD2A769A2D0EC0E5CBC33D5E3B,SHA256=E6AC805D9653523DF9542200C89258EE8EC14A5B44F567DDCA285520AC593349,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894175Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:10.225{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52755-false10.0.1.12-8000- 23542300x8000000000000000894174Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:20.243{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CA592E2455CE3A04AD46F83FB2C1F8,SHA256=8515CAA45A2EDA9334FFB779A6A8C8A46338525EBDFB1658C0D76D3E746F08A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031831Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:20.883{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3299BD859E83E8D3E3C904A9B9DE63C8,SHA256=73F1B5FD27C211F5FBE223FEACD3661713F8D29A6D76E621FBADB85A7E389C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031830Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:20.883{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=709CE67CAEFA6A1E327C21D493B26641,SHA256=8F8F7C25C4D4EB69F996FBE3C26C0D9A677528EDF49A852380D9C4FF4B672895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031829Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:20.789{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3FB2FAF9FD85CBF4E20ACA16FFACA52,SHA256=FC3752760C9567802447D9E9CB48482AD66888E831628D10D115E571DEAA86D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031828Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:20.789{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78210DB0FF82ACA1D95DFEDBB1E8480F,SHA256=09AB8299F619EE2C426E81C136CEABD85D1AFBDB0EC839A3BDAD15BCEAC4F793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031827Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:20.133{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA6EA8845BA2404251C42C3C4645181,SHA256=3DE13C418510897D722C8612742A77735F3E8989534337A9101C4232DCEDC9F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894177Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:10.840{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse50.212.63.14-60213-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000894176Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:21.258{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F18F3E3F725CAC0EFA25C73C21039D,SHA256=B909E8948C1476888B025F3BC21ECB2C3F0F73D8F5D69039217D3E8E32167154,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031838Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:21.024{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57679-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001031837Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:21.024{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57679-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001031836Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:20.932{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57678-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001031835Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:20.932{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57678-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001031834Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:20.922{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57677-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001031833Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:20.922{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57677-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 23542300x80000000000000001031832Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:21.148{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69A800A8DF56DC14435844805986D10,SHA256=E3747FE094E7A064B5C120C71DEB88C0245FAA13668C35CD2C19F30759902866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894178Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:22.477{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0576806C1FF2D2C16F520A360465264,SHA256=C990356DDD03C18285C8DA5621287B301121C4DA4B2DFC7B909CEE3AAAAFCDC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031840Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:22.269{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57680-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031839Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:22.164{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5C16A8D0DBD9263B7F84A3BAC6F39D,SHA256=BB01761614C274EDE8FD62611ED89F230678F69570EEBBCE54BBBCFB45DA2D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894179Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:23.571{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CFD8C3F50158A401FA7A78EB274E0F,SHA256=ADE618E0D657F58899EBDD95824029F7E4F6976713D2FCF721F4D96ADE8603AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031841Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:23.179{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E270A3016A4D58CE603B32DC350464AA,SHA256=6261BAC10C4CD5A3744B8288AA2D1B9E57371755280AB5E79E0B6323622252C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894180Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:24.618{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8037EE8F7F7E20807563EDE0E96762,SHA256=9147B13573D42F4C0251160477B3ED36795CF2124367AEC73B2ABAD3E867A299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031842Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:24.179{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F115EF9C5F349DACD1459205346292B6,SHA256=A88ABE94C5E625ADA5DF79628609A9B3CA25B036A014EBCFE61239EBD4FC697B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894182Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:16.084{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52756-false10.0.1.12-8000- 23542300x8000000000000000894181Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:25.633{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494ACBF7FA51C73E0790050ED8C8598C,SHA256=6317B32BF9F18FBE78BAEA9FE53495ADC54AF322F8035EA10F104CDCB3A74619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031844Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:25.414{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031843Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:25.179{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F84D80470A73CF39EB8168A4854CEFF,SHA256=FC7599A2B6A67FEF3FFD85BB7F97E449D1259935DFF0483CFF27A033152E17F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894183Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:26.680{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B697A783EBC9796ECFC3D244BDABAF,SHA256=D5F3B648866183A8C74C049266C2CAB778D1A0D903F075ED898370FF6F9926A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031846Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:25.834{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com46530-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001031845Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:26.179{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E638F1454C200526816177F5DA3C8E,SHA256=973E01789ADEB56D4843CEDD0146CFD9574458AB5654C3843C939DD92AF07E10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000894197Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.946{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7573-60FE-2E79-00000000E701}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894196Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.930{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894195Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.930{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894194Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.930{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894193Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.930{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894192Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.930{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894191Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.930{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894190Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.930{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894189Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.930{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894188Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.930{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894187Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.930{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7573-60FE-2E79-00000000E701}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894186Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.930{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7573-60FE-2E79-00000000E701}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894185Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.931{D94AFF6C-7573-60FE-2E79-00000000E701}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000894184Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.914{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03715E1E7E301554EC2150A37C0400A1,SHA256=E1B76CA47AC84427950CC2CF10818B6DF46443A13232C1CC659EF9CEBD6875DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031849Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:27.363{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57682-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001031848Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:26.535{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57681-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001031847Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:27.179{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF251579A3BC7B969B01F169BD89CE70,SHA256=0C0F41846ABF69329C3008D4E4963FD1915C6E923F6B28EF67054A2587BEB424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031850Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:28.179{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734C8CDF8618B9099585AAC89A3158A1,SHA256=5D344DC0B9799FFD520C453D52700FDA393E327352EB29238F2E5779AF1C11B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000894213Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.571{D94AFF6C-7574-60FE-2F79-00000000E701}17001836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894212Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.461{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7574-60FE-2F79-00000000E701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894211Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.446{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894210Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.446{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894209Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.446{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894208Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.446{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894207Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.446{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894206Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.446{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894205Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.446{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894204Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.446{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894203Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.446{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894202Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.446{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-7574-60FE-2F79-00000000E701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894201Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.446{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7574-60FE-2F79-00000000E701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894200Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.447{D94AFF6C-7574-60FE-2F79-00000000E701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000894199Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.399{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4638E811C7D75DEBAA2628BDEC94ABC,SHA256=FED6F9E4BD2F42B37FA6E92721A4589F1D8B4C4D5256532C9C390F03F9F31245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894198Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.399{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0B45C98980EBB65AC2647C6F50F4E39,SHA256=FF31B0D03514B03973AE0F36EABE36ED9DB665DB7F42B333724B945E0209666C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031851Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:29.182{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577261587FCAF7EAE0272A8DF96C34F0,SHA256=B4F378DCC2B6833B9812F3D6C675797F8DE730A0A0821DB6C803325842B6D8F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000894241Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.711{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7575-60FE-3179-00000000E701}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894240Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.696{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894239Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.696{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894238Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.696{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894237Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.696{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894236Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.696{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894235Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.696{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894234Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.696{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894233Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.696{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894232Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.696{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894231Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.696{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-7575-60FE-3179-00000000E701}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894230Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.696{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7575-60FE-3179-00000000E701}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894229Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.696{D94AFF6C-7575-60FE-3179-00000000E701}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000894228Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.665{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4638E811C7D75DEBAA2628BDEC94ABC,SHA256=FED6F9E4BD2F42B37FA6E92721A4589F1D8B4C4D5256532C9C390F03F9F31245,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000894227Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.086{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7575-60FE-3079-00000000E701}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894226Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.086{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894225Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.086{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894224Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.086{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894223Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.086{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894222Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.086{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894221Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.086{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894220Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.086{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894219Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.086{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894218Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.086{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894217Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.086{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7575-60FE-3079-00000000E701}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894216Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.086{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7575-60FE-3079-00000000E701}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894215Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.073{D94AFF6C-7575-60FE-3079-00000000E701}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000894214Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:29.071{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFC1964D7FC5DCD3BB934F8844BFB6C,SHA256=4BEFFC1E058820F3B7DCA56EACF567F6F87F5D9FBA00DB3DCF8B34FBE5367A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031852Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:30.194{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E519E5DC9489B8955FD09D96FA7862A,SHA256=F6078381A8159235C193D85A2A4F7810B34304F4EB51A548ADFC197200A721FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894243Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:30.758{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=178DFD2F386979CDD0C4C9F2099E911A,SHA256=B691CB5B16BCCA10B4DC2C3735F2DC670E093F2AAB97FA4218017D02776F9E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894242Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:30.321{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DD32650E4E4CFAB2FD00C54ACD06EF,SHA256=30E36A5FAF256FAFC25F942FF88F265AAFABDC2012776A8087C1E6D622055247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894244Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:31.555{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D92609D75FCC18D84BABBF962B22E41,SHA256=841CC6F5C1DF4B5599E5816F7248C4DD833F07BD4F94314089B215C17A7F0E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031853Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:31.209{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74050B6777A349A560C420A5A30373F6,SHA256=B55E09374DA628AA785340FDA21B44D65CE194ED65E2A66D1986C7DA02F8E893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894246Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:32.618{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA56ECC89B7DC335AC6327D8FC26B544,SHA256=C7F03CF8A80FBD34147A53D4583080EE6E0D87AF0768A528B647ED3D75C5D5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031857Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:32.412{2E2BE06D-6DD8-60FA-1000-00000000E601}384NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=E8BDCD318F3C3F946EB88E3EBC882ABD,SHA256=3E5CCE0CD056B69687F01248816097442269D5CB913A865DD9C524D138A2A799,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031856Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:32.349{2E2BE06D-6DD6-60FA-0B00-00000000E601}6365324C:\Windows\system32\lsass.exe{2E2BE06D-6DD3-60FA-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001031855Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:32.240{2E2BE06D-7527-60FE-BE79-00000000E601}4128ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=E8BDCD318F3C3F946EB88E3EBC882ABD,SHA256=3E5CCE0CD056B69687F01248816097442269D5CB913A865DD9C524D138A2A799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031854Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:32.224{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E62817D2E9278BFD6BC11A67A025151,SHA256=AB29BB95D080E79EA18FDAEB7412C3D901B9540B35BE22F21E856A4D45029778,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894245Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:22.037{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52757-false10.0.1.12-8000- 23542300x8000000000000000894247Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:33.649{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E0E7EB97DDD102AC93B7F069501003,SHA256=3FCBDBE3E1D8A64FA8A0C60ADAD91ACD49AFBD66B9461A4FA5CDB8700A3F8F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031862Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:33.630{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1E94BAEBF2FA4DBA2F05BB16B318C76,SHA256=540A4A5D586589E03359664D1A456FC874840423B46795F14148649BE189D3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031861Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:33.630{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3FB2FAF9FD85CBF4E20ACA16FFACA52,SHA256=FC3752760C9567802447D9E9CB48482AD66888E831628D10D115E571DEAA86D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031860Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:33.255{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DB696A02C104D7CCD5BCA2CB3C80D062,SHA256=4614C4F070F7773D99CE857184F5B0C012DCAC3AEBE56175CA1925D268D0B18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031859Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:33.255{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3299BD859E83E8D3E3C904A9B9DE63C8,SHA256=73F1B5FD27C211F5FBE223FEACD3661713F8D29A6D76E621FBADB85A7E389C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031858Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:33.224{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAC2F648571E452BC24BB632D591F5C,SHA256=ADD464CF5BE13A04E14B90571D8F5934F871BBC554770109C84C8A0BA856FDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894248Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:34.664{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24DB4BD89D103F18805198A337C197AF,SHA256=8CD842A6613DDA03B86B862A03E89E7AB2486B63F1875830646FDA2904147858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031870Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:34.240{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59A52E4CC4E93EF8FF27E085949A779,SHA256=7F674F06BB41E4C2DD6E3E293693221BD17E08BDD845B615A3B5CBAD27338B83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031869Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:33.490{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57686-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001031868Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:33.490{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57686-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001031867Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:33.397{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57685-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001031866Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:33.397{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57685-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001031865Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:33.385{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57684-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001031864Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:33.385{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57684-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001031863Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:33.236{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57683-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000894263Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.914{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A9432E78ADF5470A03DD3808507C3F,SHA256=547BD71C3CA27209FF766C568DBACAEA3D79CC8489C024156EA6CEAF7F31D948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031871Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:35.240{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0804331F0830B0CAB68C95F968C6B9AB,SHA256=2744343832BC3C3ED951A017D9D97F3F2BB53698E76ED53082D24B9E534DD2DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000894262Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.586{D94AFF6C-757B-60FE-3279-00000000E701}1468484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894261Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.477{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-757B-60FE-3279-00000000E701}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894260Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.477{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894259Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.477{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894258Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.461{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894257Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.461{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894256Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.461{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894255Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.461{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894254Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.461{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894253Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.461{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894252Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.461{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894251Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.461{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-757B-60FE-3279-00000000E701}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894250Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.461{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-757B-60FE-3279-00000000E701}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894249Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:35.462{D94AFF6C-757B-60FE-3279-00000000E701}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000894266Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:36.946{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F654DF05C4637E5F9218750493BC7386,SHA256=EBF4AAFBBDFCA025CA72EA3E54DF09E122DDEB8420DD450A9B088404F6582767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031872Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:36.255{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A980A144BCB869068CD78BF7C373D65B,SHA256=DC830761C99C83A2CA9045F9550E322E3DC7463787EBDF0E896B0D2F2C130178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894265Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:36.508{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D701F9526BA2502617DE78DBCC53930C,SHA256=C9323C76CB62744DEBA755B5C3C59E93E50BCB580E2E973190BE95D88C267809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894264Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:36.508{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=580B2B9DA512B00F34170A17E7CBB2E3,SHA256=7902C0581E74216D61816C532FABF5EF2D8467528B603BF147C2BD59316B25D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894268Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:37.993{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE20F5A1BD88F54BDF12CFE006CF7182,SHA256=2D5C779BC2A7E2495BA7D1E4D295FE90A6F5B2F013B6F80DEF06C150F956B241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031873Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:37.271{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDABA19F38932457C89EB03916B40684,SHA256=39BF0E06CCB774EA9CDA7E61A33B5AC13BBA61A0638C6FA55A57F69D8D9B71B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894267Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:27.209{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52758-false10.0.1.12-8000- 23542300x80000000000000001031876Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:38.380{2E2BE06D-6DD8-60FA-1000-00000000E601}384NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=A3C92D2A622554F3745BD0C1C6720061,SHA256=341D0F227C7932EF4309A6F67B537ACEDC126D76FFAF43ED44BF91992D8A0539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031875Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:38.287{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8553950723D8C48C2B5D6433D0AE7C46,SHA256=616F6C0BD3A120A53D6DB7D2A1B4F12D1B4F8FCD80D9EBE3BD7B27508AB80EF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894270Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:28.539{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.227-63172-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000894269Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:38.227{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D701F9526BA2502617DE78DBCC53930C,SHA256=C9323C76CB62744DEBA755B5C3C59E93E50BCB580E2E973190BE95D88C267809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031874Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:38.240{2E2BE06D-7527-60FE-BE79-00000000E601}4128ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=A3C92D2A622554F3745BD0C1C6720061,SHA256=341D0F227C7932EF4309A6F67B537ACEDC126D76FFAF43ED44BF91992D8A0539,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031886Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:39.399{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57689-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001031885Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:39.399{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57689-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001031884Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:39.388{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57688-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001031883Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:39.388{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57688-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 23542300x80000000000000001031882Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:39.630{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F90D5C1E91C21ACF8B2176D6FB794948,SHA256=FDF7D2FD03504B7EDD2E61A7CE0AF18C8BFF6B622DEF39E8952190B0D844E25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031881Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:39.630{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1E94BAEBF2FA4DBA2F05BB16B318C76,SHA256=540A4A5D586589E03359664D1A456FC874840423B46795F14148649BE189D3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031880Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:39.287{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB2E0E1E0D62DC8C3F22B0AAB31427F,SHA256=C908D7945095EDCBCFBF45464D1212BDAB8EA01B00A18A79053B8C82F1CAC4C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000894285Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.539{D94AFF6C-757F-60FE-3379-00000000E701}964304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894284Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.414{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-757F-60FE-3379-00000000E701}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894283Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.414{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894282Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.414{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894281Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.399{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894280Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.399{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894279Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.399{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894278Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.399{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894277Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.399{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894276Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.399{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894275Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.399{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894274Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.399{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-757F-60FE-3379-00000000E701}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894273Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.399{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-757F-60FE-3379-00000000E701}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894272Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.400{D94AFF6C-757F-60FE-3379-00000000E701}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000894271Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.071{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B6EA4C6AF098150188CB31B37423C3,SHA256=C1FD3F4551F0819195C8F5404BA077A1756F1B89F61562C945E06D8DE6810E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031879Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:39.255{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6D092C03384AFA6198B88642B5A117EF,SHA256=10590349BBB2C434D1B107EF0660BA4EE0610425AC458A19DABEB54ABFBF5FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031878Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:39.255{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DB696A02C104D7CCD5BCA2CB3C80D062,SHA256=4614C4F070F7773D99CE857184F5B0C012DCAC3AEBE56175CA1925D268D0B18A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031877Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:38.299{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57687-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031887Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:40.287{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE3CA2C6264B0E343BBD516C1DD7CCA,SHA256=96FC5A1B66FBD1EC5CDAD3ED293ACE47727EE5E55481D1A54DCF83BDD7558151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894301Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.415{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CA5D6F7577D3853FD0A60D4F63A4AC1,SHA256=E7F520C25A9F65E0372E4D5F04747871904FD9A56631CE2CA1DA3592571F383D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000894300Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.196{D94AFF6C-7580-60FE-3479-00000000E701}34722920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000894299Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.086{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C854730866E854BCC23118E37EFF85,SHA256=13AEC19413D6AF864D99D3D36A91C66BB9A0540F309802C6FDADACB01C63AF81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000894298Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.086{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7580-60FE-3479-00000000E701}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894297Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.071{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894296Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.071{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894295Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.071{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894294Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.071{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894293Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.071{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894292Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.071{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894291Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.071{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894290Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.071{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894289Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.071{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894288Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.071{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7580-60FE-3479-00000000E701}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000894287Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.071{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7580-60FE-3479-00000000E701}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000894286Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:40.071{D94AFF6C-7580-60FE-3479-00000000E701}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031888Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:41.287{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896AC426491795FB77DB9715970ED566,SHA256=3E33466D5573D198159F18C96DC11A5ECF5E72E3502E7754D393F9C31BF26F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894302Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:41.086{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE80036015529600E1C947B58B0473F,SHA256=2E4F952673A44C36F257F34E36EDCC251F72C4A380731BC5DC6DAA4D164B2DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031889Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:42.287{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D23E63D036DFF4F35F64C1C4F243479,SHA256=8A1A805F88322BABFF1534DAA97AD3678C6A60B1D18D45E0C7366A733393FB4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894304Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:33.131{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52759-false10.0.1.12-8000- 23542300x8000000000000000894303Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:42.196{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2FF5E3A6E7AF4592545542F83C9350,SHA256=8D204CC4813F3F20CA976203035FAD6EF1092A2D101D869A604DC4A560E2709A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894305Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:43.211{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CD8ECCA1FF5B7D75C617E8C9FAEFA6,SHA256=7C4CDEA750330CBD8E26EED736FCD84CC852819A8286D4F6CF8AF7ECACE23ECD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031899Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:43.896{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7583-60FE-C679-00000000E601}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031898Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:43.896{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031897Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:43.896{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031896Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:43.896{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031895Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:43.896{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031894Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:43.896{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7583-60FE-C679-00000000E601}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031893Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:43.880{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7583-60FE-C679-00000000E601}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031892Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:43.881{2E2BE06D-7583-60FE-C679-00000000E601}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031891Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:43.287{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984FF5CC59DC3F16E1A5FA8A6C077D4D,SHA256=F2C2FAF4D639D8E9FF2CA4C889A4B244E01881EE33255DE2F44C6E92D86E17C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031890Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:43.255{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000894306Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:44.211{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C749E122B730F1CCC7B1DF2A464739,SHA256=3A1BDAFCD7ACB85FF389B868D4FA631F2573E68C1D6E0466DB774E3013BE15D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031911Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:44.584{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7584-60FE-C779-00000000E601}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031910Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:44.584{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031909Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:44.584{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031908Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:44.584{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-7584-60FE-C779-00000000E601}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031907Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:44.584{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031906Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:44.584{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031905Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:44.584{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7584-60FE-C779-00000000E601}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031904Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:44.569{2E2BE06D-7584-60FE-C779-00000000E601}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031903Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:44.474{2E2BE06D-6DD8-60FA-1000-00000000E601}384NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=04EB57F3489334D977F8CB3F8AE50A3E,SHA256=54D00B41E93FD996155B8C7DE6FC952DCDBE1D72452AEE4A2176B3C2194A57F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031902Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:44.318{2E2BE06D-7527-60FE-BE79-00000000E601}4128ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csvMD5=04EB57F3489334D977F8CB3F8AE50A3E,SHA256=54D00B41E93FD996155B8C7DE6FC952DCDBE1D72452AEE4A2176B3C2194A57F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031901Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:44.287{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D631DB2F7984C9BAE6737701601BABF9,SHA256=D2F682632CE85A3C237190B4935136369030EB61656ACD3EE2B6EEAF55C3F01B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031900Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:43.377{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57690-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001031933Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.958{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7585-60FE-C979-00000000E601}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031932Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.958{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031931Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.958{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031930Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.958{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031929Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.958{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031928Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.958{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-7585-60FE-C979-00000000E601}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031927Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.943{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7585-60FE-C979-00000000E601}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031926Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.944{2E2BE06D-7585-60FE-C979-00000000E601}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031925Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.474{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D4BAF0AF048F5280CD60072655AFED7,SHA256=9ED8A5F0602A6F03A3B8C6AE2CA46641C71566D437134ADA1D41AD7077F1CB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031924Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.474{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F90D5C1E91C21ACF8B2176D6FB794948,SHA256=FDF7D2FD03504B7EDD2E61A7CE0AF18C8BFF6B622DEF39E8952190B0D844E25C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031923Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.459{2E2BE06D-7585-60FE-C879-00000000E601}68525348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031922Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.318{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=718C31ED7211B316F5C6406DEAEB24A6,SHA256=FAFAC7ED7580572EE31305DECCC14DFECBEA2C135E786998DD545933BC7F7B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031921Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.318{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6D092C03384AFA6198B88642B5A117EF,SHA256=10590349BBB2C434D1B107EF0660BA4EE0610425AC458A19DABEB54ABFBF5FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031920Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.302{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B8FAC34827BFB742878B756A149A28,SHA256=A6A109AA89C0ACE6B8028003C2D7CDCB75C04ED3D72C77B149B52DD830C78D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894308Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:45.524{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=33AC0C83E1F37DC82A19FE559A27B069,SHA256=2353984B4DDF6106662B36A2BD9F5BCE626A4686442BEC2ECA7104ADB1D716D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894307Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:45.227{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C7D71C3055B4F705FDAA6983CCE638,SHA256=8995F04EE83F556C20E97975793F25A5FB9F4852AE2E09B7F98A470ED6B2E178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031919Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.271{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7585-60FE-C879-00000000E601}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031918Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.271{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031917Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.271{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031916Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.255{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031915Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.255{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031914Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.255{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-7585-60FE-C879-00000000E601}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031913Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.255{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7585-60FE-C879-00000000E601}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031912Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.256{2E2BE06D-7585-60FE-C879-00000000E601}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001031948Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:46.912{2E2BE06D-7586-60FE-CA79-00000000E601}42802164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031947Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:46.646{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7586-60FE-CA79-00000000E601}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031946Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:46.646{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031945Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:46.646{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031944Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:46.646{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031943Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:46.646{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031942Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:46.646{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7586-60FE-CA79-00000000E601}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031941Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:46.646{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7586-60FE-CA79-00000000E601}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031940Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:46.631{2E2BE06D-7586-60FE-CA79-00000000E601}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031939Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:46.427{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593180A7A1C637BEFF7B96061F37541B,SHA256=A5BE7D3DCB3EB974929AADA5DF5430FE282A4D2F81D191279E4512ED90DB3EAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031938Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.473{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57692-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001031937Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.473{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57692-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001031936Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.465{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57691-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001031935Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:45.465{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57691-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 23542300x8000000000000000894309Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:46.243{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA13AD2C54FBBB8B7E2923CB5F9620F4,SHA256=5BA9CFE1B8DD1140701802FF26A3EDD77B1120206F7662BE0A181BB4A2224A08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031934Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:46.146{2E2BE06D-7585-60FE-C979-00000000E601}67683024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000894310Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:47.258{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350F1708DEF92852FF84DF32F1E7B5FC,SHA256=D9FAFDC591BCBABF55641DBF8E6E8CF86EC2AC9A1C6D7F2A459C0B6AC025E1A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031958Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:47.583{2E2BE06D-7587-60FE-CB79-00000000E601}69726452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001031957Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:47.443{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C50BDF27B4B18C8FE777284AFB8D2B,SHA256=6DC934DAB9E84AC1AE84F5F2ACEEC0FCD05AE1A7F7CA87952DE8111F1A5A472F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001031956Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:47.349{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7587-60FE-CB79-00000000E601}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031955Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:47.349{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031954Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:47.349{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031953Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:47.349{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-7587-60FE-CB79-00000000E601}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031952Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:47.349{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031951Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:47.349{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031950Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:47.343{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7587-60FE-CB79-00000000E601}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031949Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:47.319{2E2BE06D-7587-60FE-CB79-00000000E601}6972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000894311Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:48.274{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2C33F2E86642805787021286DE4B1D,SHA256=723BEBD00D06E4DF96160C58929476D02B6DBB721FB948014F58752FF07DBE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031959Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:48.443{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639AB0581DA4D95408B84108D612C5D5,SHA256=3722440B7DA7D174E3BB29CF1F7BE2D279C4DFE45B1163AE87DC1763813B24DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031960Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:49.459{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BF0C37D786014242D9A42C42EA35E2,SHA256=D8D559BD1E8D756159F0D9F3953249CA7BE09F882405C90C67A30F0259F426A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894313Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:49.274{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A281D60872BF4B458A8F17B1EDEE968D,SHA256=D5ECE3771162073C138CAF5337D5FF27DE569270FE1ACEF2F5417A0D989DE0AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894312Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:39.084{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52760-false10.0.1.12-8000- 23542300x80000000000000001031965Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:50.693{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD2043BCD56636141602F03C85E399B,SHA256=28FC36CED0940826C592E70338C5AE662D77EC559C1F1A8EDE7DBAF6E5D741A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894317Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:50.586{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894316Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:50.586{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BAF2B583A2BCB58E971D23E49CF445D,SHA256=7D7C94F60A74AF8C6B8B7B9570293581B4D92A60125A4A779695FFD86C986B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894315Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:50.586{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A976B0990B672DDF04AC57FD38F5E9D,SHA256=77A16B5253E99FDDD1E60B16447B9E472E34C2825BA3C06770B81A82F8BFEF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894314Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:50.289{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602CD50F13144DB5B56DB561AD696814,SHA256=E31C122BC66BB2F5355516C6D4DBB6CB3D4D594DEE14A642E9F6BDA0338D37DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031964Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:49.677{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local59481- 354300x80000000000000001031963Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:49.676{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-56.attackrange.local60687-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001031962Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:49.675{2E2BE06D-6DE8-60FA-2800-00000000E601}2908C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57729- 354300x80000000000000001031961Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:49.252{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57693-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001031976Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:51.927{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-758B-60FE-CC79-00000000E601}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031975Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:51.912{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031974Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:51.912{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031973Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:51.912{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031972Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:51.912{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031971Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:51.912{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-758B-60FE-CC79-00000000E601}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001031970Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:51.912{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-758B-60FE-CC79-00000000E601}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001031969Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:51.897{2E2BE06D-758B-60FE-CC79-00000000E601}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001031968Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:51.708{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCC220069FF7B59C946E809DEF9FDFD,SHA256=57944F1CAB8FBD94DB30176DF682F426E75722975B9F2F486AB3A67D5AE006A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894319Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:51.305{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E322BC0E2B9863FF22D2C246AB182984,SHA256=E402F917BF247148B66BA30827FEA222CE6441C051C946D56FC62795E7051851,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031967Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:50.783{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57694-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001031966Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:50.783{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57694-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x8000000000000000894318Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:41.432{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-1683-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001031978Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:52.709{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7517E87E9E33E3402A09F625A28F8E6,SHA256=74D75FD4A66A0E444C5C7C4AA83C1A242C32EB87921BEEF14FD32728F7042AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894321Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:52.321{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A48A0A57B39E486A9ABFA960DFF3A9F,SHA256=198ECEA0FD3E8E2968EFC23C7AD808FAC8A44FE5C3024C304456D797E412FB3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031977Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:51.326{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-7576-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 354300x8000000000000000894320Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:42.568{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52761-false10.0.1.12-8089- 23542300x80000000000000001031979Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:53.740{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33130093685089BF6C5F332FD2E88296,SHA256=3238E8DFDA44846A15C81E2FAA8BAF7798BE6BD6D0CE20E79A37CD6463995668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894322Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:53.336{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32197B65863C57A4B4D9936C4F587FE0,SHA256=9AD35ABE7A09BCCE4BBC8145C595BCA263C8FCB77A91B0665EA34A2541B162C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001031981Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:54.392{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57695-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001031980Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:54.755{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430EC7513462BC412393BB79810934F8,SHA256=418BCF408F1AFAD9594B0F4BBA80BF8341DE388332168AB28ACBE411B8BF3C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894324Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:54.352{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4D220FC6581DB766F98B2F70FF3D9B,SHA256=3A8A3F6755BBA890FD63F86C850C1237A4DB259E3EC5F3EBC1AEDAE8FA4A6096,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894323Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:44.193{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52762-false10.0.1.12-8000- 23542300x80000000000000001031982Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:55.802{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEAFA45431874F5803D6B053C6E1DF61,SHA256=A1F359D8DF97DDB3B0B77F6A83016992DE5E294BC08928156B6A65615D9589F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894325Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:55.368{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09958F5C19F2C8C7F451FA7EE780242,SHA256=5D78D84850A9D55980C59554637A58EDC9B7D951075CC71A8A17CCC155B35A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031983Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:56.818{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE3A988817B1774C89D2CF349E7D11C,SHA256=C0BFEB1B390815F7BBF4092E6EACC894893F70912A9C05898E079B3052A5301C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894326Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:56.383{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9F5E7CD02BE813051F1665BB454224,SHA256=C8A6971C35D714B2CD47086CBE16E59E061F48E323AFC23527C90773E37863A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031984Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:57.833{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15EDED919433B938395CF78FBF04837E,SHA256=17C5EDCDAE51F1801E3412E6BE99025F237714FBA5108974F07EAB888DCFA269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894327Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:57.399{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6C61F6C8D4D8EA88CFCEB1A4CB7AE6,SHA256=0426C1B9E1C545F9096F192D57AF05EACFDC011575932FA3C1CD711080C3EBA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031985Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:58.849{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20DD6AF984DEC905977D725CE1A8AF0,SHA256=5A56F0B6EDEBDE05664DB10FEAB7BF2CEF507F98C2A4A5766A0947388FD69918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894328Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:58.399{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75D340E3B3416CF42CF0841F584BAE4,SHA256=63C41DA4FAF3B4B54A87C1146705ED885FB9AAB7ACD4E942BA797F615B8C353E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031990Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:59.849{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54586C77C130C9AAE77D75FE879FD66,SHA256=0216EBDC9597E63D11E0FDDFAAC51AF84A21CED417A720307DFEADDD6A55322D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894331Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:59.821{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C236AEFD5AE7BF7B55FD92A1234D08BC,SHA256=6EDF0689D32CC535FA0C7B561B19C38C42ADA212048D8A1C1B806D6495B7F40E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894330Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:59.821{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BAF2B583A2BCB58E971D23E49CF445D,SHA256=7D7C94F60A74AF8C6B8B7B9570293581B4D92A60125A4A779695FFD86C986B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894329Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:59.414{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F15CF487039CFB066DAE13CA50C8D5,SHA256=5321C795EDE59B74FEB7B282CB528CE3E15180BCB93CD6D9E1715AA2202668F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031989Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:59.099{2E2BE06D-CA2B-60FA-5D0B-00000000E601}4320ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010000C.logMD5=77F99F3A13516D8745D90CF44BAF5BD4,SHA256=E49A2685318A4398423D4F6C2DD49DD2A6BE802A8224F3D10AC10F1684C00994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031988Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:59.083{2E2BE06D-CA2B-60FA-5D0B-00000000E601}4320ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010000B.logMD5=8AD62543472014652FF7201146AC8A54,SHA256=665C698F4959556DB94C2323E7750828CF7F8708A1FA53458E31C280658F4F69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031987Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:59.083{2E2BE06D-CA2B-60FA-5D0B-00000000E601}4320ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010000A.logMD5=AAA83991B0BF50F13ACE8C83B7F6CA21,SHA256=69159A8419752212636F832C9E46C1AC36BC91EA35AE219D4AF87376B66F539E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001031986Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:42:59.068{2E2BE06D-CA2B-60FA-5D0B-00000000E601}4320ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100009.logMD5=A6F00FADFE17CE96A9D9182D89974E04,SHA256=CA4CAADEB2B3CD059EED1A3802E19AE9AE607D146923EA37E5BE2669E6520847,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001032020Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.236{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57696-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000894334Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:50.676{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-57158-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 354300x8000000000000000894333Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:50.115{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52763-false10.0.1.12-8000- 23542300x8000000000000000894332Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:00.430{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C0DB3FB2B4718DA12AA6217F36CD3E,SHA256=2DF4C063A3554EDCA6F83968F73F560AE4781AC340B074544A85F7825CF00345,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032019Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032018Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032017Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032016Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032015Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032014Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032013Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032012Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA35-60FA-720B-00000000E601}3556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032011Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032010Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032009Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032008Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032007Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032006Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032005Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032004Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032003Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032002Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032001Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032000Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031999Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031998Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031997Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031996Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031995Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031994Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031993Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031992Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.084{2E2BE06D-6DD8-60FA-0D00-00000000E601}904924C:\Windows\system32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001031991Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:00.052{2E2BE06D-CA2B-60FA-5D0B-00000000E601}43204564C:\Windows\system32\taskhostw.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001032046Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.943{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0921C3D97C73A63CCABD3C479EEFAAAA,SHA256=17CC27628740E3DAFB6BA691D29BDEDCABB9FAFA7481DE1567800EE70C44E79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894335Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:01.430{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0CFF7714C80A124510A8583D4C70FAD,SHA256=B77083AF1C919C2B8598DBB400882CAE7858400C9811D42A79E3E62BF0F06BA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032045Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.583{2E2BE06D-CA2C-60FA-630B-00000000E601}47284840C:\Windows\Explorer.EXE{2E2BE06D-7595-60FE-CD79-00000000E601}1220C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032044Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.568{2E2BE06D-CA2C-60FA-630B-00000000E601}47284840C:\Windows\Explorer.EXE{2E2BE06D-7595-60FE-CD79-00000000E601}1220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032043Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.568{2E2BE06D-CA2C-60FA-630B-00000000E601}47284840C:\Windows\Explorer.EXE{2E2BE06D-7595-60FE-CD79-00000000E601}1220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032042Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.568{2E2BE06D-CA2B-60FA-5D0B-00000000E601}43204564C:\Windows\system32\taskhostw.exe{2E2BE06D-7595-60FE-CE79-00000000E601}5756C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032041Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.568{2E2BE06D-CA2B-60FA-5D0B-00000000E601}43204564C:\Windows\system32\taskhostw.exe{2E2BE06D-7595-60FE-CE79-00000000E601}5756C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032040Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.537{2E2BE06D-CA2C-60FA-630B-00000000E601}47283420C:\Windows\Explorer.EXE{2E2BE06D-7595-60FE-CD79-00000000E601}1220C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032039Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.537{2E2BE06D-CA2C-60FA-630B-00000000E601}47283420C:\Windows\Explorer.EXE{2E2BE06D-7595-60FE-CD79-00000000E601}1220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032038Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.537{2E2BE06D-CA2C-60FA-630B-00000000E601}47283420C:\Windows\Explorer.EXE{2E2BE06D-7595-60FE-CD79-00000000E601}1220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032037Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.537{2E2BE06D-CA2C-60FA-630B-00000000E601}47283420C:\Windows\Explorer.EXE{2E2BE06D-7595-60FE-CD79-00000000E601}1220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032036Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.537{2E2BE06D-CA2C-60FA-630B-00000000E601}47282624C:\Windows\Explorer.EXE{2E2BE06D-7595-60FE-CE79-00000000E601}5756C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032035Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.537{2E2BE06D-CA2C-60FA-630B-00000000E601}47282624C:\Windows\Explorer.EXE{2E2BE06D-7595-60FE-CE79-00000000E601}5756C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032034Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.537{2E2BE06D-CA2C-60FA-630B-00000000E601}47282624C:\Windows\Explorer.EXE{2E2BE06D-7595-60FE-CE79-00000000E601}5756C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032033Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.537{2E2BE06D-CA2C-60FA-630B-00000000E601}47282624C:\Windows\Explorer.EXE{2E2BE06D-7595-60FE-CE79-00000000E601}5756C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032032Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.521{2E2BE06D-6DD8-60FA-1000-00000000E601}3845884C:\Windows\system32\svchost.exe{2E2BE06D-7595-60FE-CE79-00000000E601}5756C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032031Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.521{2E2BE06D-6DD8-60FA-1000-00000000E601}3841384C:\Windows\system32\svchost.exe{2E2BE06D-7595-60FE-CE79-00000000E601}5756C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001032030Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.146{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553495A248B2957CB12E18A1CB8C557B,SHA256=86105F3DE7B7C495400EF5808322D84F4F3A11D3AF5E793A0B3D298347DC4786,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032029Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.130{2E2BE06D-7595-60FE-CE79-00000000E601}57566124C:\Windows\system32\conhost.exe{2E2BE06D-7595-60FE-CD79-00000000E601}1220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032028Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.068{2E2BE06D-CA29-60FA-510B-00000000E601}36442280C:\Windows\system32\csrss.exe{2E2BE06D-7595-60FE-CE79-00000000E601}5756C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001032027Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.052{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032026Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.052{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032025Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.052{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032024Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.052{2E2BE06D-CA29-60FA-510B-00000000E601}3644812C:\Windows\system32\csrss.exe{2E2BE06D-7595-60FE-CD79-00000000E601}1220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001032023Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.052{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032022Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.052{2E2BE06D-CA2C-60FA-630B-00000000E601}47287012C:\Windows\Explorer.EXE{2E2BE06D-7595-60FE-CD79-00000000E601}1220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5 154100x80000000000000001032021Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:01.044{2E2BE06D-7595-60FE-CD79-00000000E601}1220C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{2E2BE06D-CA2A-60FA-99E8-600000000000}0x60e8992HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001032047Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:02.990{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE191E521A49896D03336FD6CBB3E73,SHA256=891BBA3174FD584C25FC0DB0F293FE10AB552825CD48A48C389EB3670BC12201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894336Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:02.431{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2261E734639DB3B701A28F5390875E8,SHA256=D5738BE744ADABA9C7AF35D1EC86F0535C97741DEA9EA8BB4E1BC5B080BD9157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894337Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:03.444{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B18E19ED14B657B08FC4497C2ECAF7,SHA256=ADD501FCC33CB724FE4E38D62BCE4AA2F98D746325E2B5DF7E7497F616AA82E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894338Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:04.446{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A8B628C639D6D32D87DB5EDC5110DC,SHA256=E1FEFA1D56DEAA1E2419520B38A1F0AC47BFDA06ABCDFA8EE77CA30796BAFD2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032048Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:04.005{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E31C0EEAEFA47C38CBFE5FA1F6A69F,SHA256=5FB9F0FCA62C8A21A226DEA731B0E116CF91B2AE039D507F5450568F3C9AB9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894340Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:05.461{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB7F9CB215C14CD305A57EC01374E7B,SHA256=206B60C160A9B7E2E11E85B07241608D7353E49911A4A72F9C6B352E8A3F2CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032049Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:05.021{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C05EDA395E458436453F17D529AA468,SHA256=331E758E0A11F8933EE73D729E76455092BA4A88690674890CF4F166CB8EB181,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894339Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:42:55.253{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52764-false10.0.1.12-8000- 23542300x8000000000000000894341Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:06.461{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D23B221DA2B5F5D7E3650013242D489,SHA256=DF01620BDC9F9E20CFF37948A5B9E631B9F077EC911714B74866BDC1C5976559,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001032051Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:05.346{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57697-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001032050Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:06.052{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09BAD097D07DE99E35983BB1DA7E476,SHA256=68AFAFBADF9597C6030CEBB74A0D59919FEBD6B0DC45D565070DB98DCB9FE69B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894342Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:07.508{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C60818DAA3544CD89B7C0977D2C930,SHA256=59ECD9A2B83DDA6D4FC14D02046EDBFE1D8AE582E39D529139620BCD750C975A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032067Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.943{2E2BE06D-6DD8-60FA-1000-00000000E601}384NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=F443C7B00E42C58336E9113C4B92A1EA,SHA256=01406B7BD612A8321213382482E44EA2C7B5467B57E17E9C135EAB2A8221FAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032066Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.927{2E2BE06D-6DD8-60FA-1000-00000000E601}384NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=26FFB2926F32F78EAEF80D8A870A88C6,SHA256=BA4E44773C9233D16C9950097A1D1FEF3AB2E8376120959E529DC97EF1871D7C,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000001032065Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:07.927{2E2BE06D-6DD8-60FA-1000-00000000E601}384\scerpcC:\Windows\system32\svchost.exe 23542300x80000000000000001032064Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.927{2E2BE06D-6DD8-60FA-1000-00000000E601}384NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00001.infMD5=DBBF697C05F302D06DD05403297DB608,SHA256=632CAD193E30E450B7753E6D16643B576DFABAA1FA60E8D29DA7665946810599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032063Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.927{2E2BE06D-6DD8-60FA-1000-00000000E601}384NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00000.domMD5=338F5A9E4E606FC803055C8314E3F366,SHA256=DD15D6AD575AD10CBA979783EE68DC6A5A21ECDABDB4E0678F83870931BBD317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032062Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.896{2E2BE06D-6DD8-60FA-1000-00000000E601}384NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\tempntuser.polMD5=6D689707E44278AF6F07183A7BCCD7A1,SHA256=8DE08FDBC9FB72826CC6CB297618A441BF8B0B43AF883F6B905A1BE2DBE4A724,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032061Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.849{2E2BE06D-6DD6-60FA-0B00-00000000E601}6365324C:\Windows\system32\lsass.exe{2E2BE06D-6DD3-60FA-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001032060Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.708{2E2BE06D-7595-60FE-CE79-00000000E601}57566124C:\Windows\system32\conhost.exe{2E2BE06D-759B-60FE-CF79-00000000E601}2068C:\Windows\system32\gpupdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032059Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.708{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032058Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.708{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032057Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.708{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032056Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.708{2E2BE06D-CA29-60FA-510B-00000000E601}36441428C:\Windows\system32\csrss.exe{2E2BE06D-759B-60FE-CF79-00000000E601}2068C:\Windows\system32\gpupdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001032055Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.708{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032054Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.708{2E2BE06D-7595-60FE-CD79-00000000E601}12206784C:\Windows\system32\cmd.exe{2E2BE06D-759B-60FE-CF79-00000000E601}2068C:\Windows\system32\gpupdate.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001032053Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.718{2E2BE06D-759B-60FE-CF79-00000000E601}2068C:\Windows\System32\gpupdate.exe10.0.14393.3986 (rs1_release.201002-1707)Microsoft® Group Policy Update UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationGPUpdate.exegpupdate /forceC:\Users\Administrator\ATTACKRANGE\Administrator{2E2BE06D-CA2A-60FA-99E8-600000000000}0x60e8992HighMD5=2A360690356FCE21B7F18F4DB3CB8BF2,SHA256=AE6E09BD8130D3488FEE07248EFB58B08EB64B3C8F2FE64DD56A196BA82A299B,IMPHASH=B850A25F38035110A9276C6D7150694A{2E2BE06D-7595-60FE-CD79-00000000E601}1220C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001032052Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:07.052{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCCD27DE7D5F178A412E112DF2EFAB0,SHA256=083BF82E4884CC9615158ED33416DCF9B28F60DA9F01B93CA74545C1637E10F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894343Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:08.524{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03ACA5FF36F570353C2F594AF2C05E2F,SHA256=6AB5A86EB5F9C3857EBA49D7F53C36BB806418280A0270486921FCD75798D07E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001032103Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.879{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57699-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local49666- 354300x80000000000000001032102Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.879{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57699-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local49666- 354300x80000000000000001032101Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.878{2E2BE06D-6DD8-60FA-0D00-00000000E601}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57698-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 354300x80000000000000001032100Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.878{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57698-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 734700x80000000000000001032099Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.880{2E2BE06D-759C-60FE-D079-00000000E601}5808C:\Windows\System32\taskhostw.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x80000000000000001032098Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.849{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=665867EA63EBCF233F346FCA072A1711,SHA256=B8FB10C5EDED41627EACFE22770E9F195DD0830549CBEF9711C6D2B96A01C76C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001032097Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:43:08.849{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000006e4) 23542300x80000000000000001032096Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.849{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D4BAF0AF048F5280CD60072655AFED7,SHA256=9ED8A5F0602A6F03A3B8C6AE2CA46641C71566D437134ADA1D41AD7077F1CB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032095Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.740{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3F9CCBC0DC7EEDA290D4AB5F69A3E3F6,SHA256=736D361E74107BF44FE02A7F0416ADA174A73025834688EFF86D53C52F5F27CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032094Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.740{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=718C31ED7211B316F5C6406DEAEB24A6,SHA256=FAFAC7ED7580572EE31305DECCC14DFECBEA2C135E786998DD545933BC7F7B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032093Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.599{2E2BE06D-6DD8-60FA-1000-00000000E601}384NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032092Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.537{2E2BE06D-6DD8-60FA-0C00-00000000E601}8445960C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032091Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.537{2E2BE06D-6DD8-60FA-0C00-00000000E601}8445960C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032090Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.537{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441676C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032089Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.537{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441676C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032088Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.537{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441676C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032087Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.537{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441676C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001032086Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:43:08.521{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x80000000000000001032085Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.506{2E2BE06D-6DD8-60FA-0C00-00000000E601}8445960C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032084Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.506{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032083Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.506{2E2BE06D-6DD8-60FA-0C00-00000000E601}8445960C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032082Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.506{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001032081Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:43:08.506{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001032080Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.490{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032079Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.490{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032078Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.490{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032077Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.490{2E2BE06D-6DD8-60FA-0C00-00000000E601}8441988C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001032076Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.490{2E2BE06D-6DD8-60FA-1000-00000000E601}384NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\audit\audit.csvMD5=F4E30E7818BDF752F45CF903EBDDCCE8,SHA256=40A234BC7029945B351B29B4C7A7C4E59F5A9F98EB462905C6DB4EBB689D0A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032075Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.474{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7DE1226E34BCB333E663979CA3B24BCF,SHA256=D287525128CE00CB1BF24822AFF5DA349F2B3D63FEE91DBC13569CDA7B6E3772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032074Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.458{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7B0B023C4DE056F1059856F419B5D9D3,SHA256=826D2E10A94563C3A50A1E990D7E736F4888F42573AA77A58C635A21516E30C9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001032073Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:43:08.427{2E2BE06D-6DD6-60FA-0A00-00000000E601}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\ldapserverintegrityDWORD (0x00000001) 13241300x80000000000000001032072Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:43:08.427{2E2BE06D-6DD6-60FA-0A00-00000000E601}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorsealDWORD (0x00000001) 13241300x80000000000000001032071Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:43:08.427{2E2BE06D-6DD6-60FA-0A00-00000000E601}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\requiresecuritysignatureDWORD (0x00000001) 13241300x80000000000000001032070Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:43:08.427{2E2BE06D-6DD6-60FA-0A00-00000000E601}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\enablesecuritysignatureDWORD (0x00000001) 13241300x80000000000000001032069Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.localT1101SetValue2021-07-26 08:43:08.427{2E2BE06D-6DD6-60FA-0A00-00000000E601}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001) 23542300x80000000000000001032068Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.052{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08EB07226236CBBA020F843AF15EFB55,SHA256=025D70DF79002B236C4FC6513851284EE9BC7CBD0F311645CDE9B2A2E91E7E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894344Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:09.540{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357F7E11BF688458136D39D9D6947B1C,SHA256=FF902DC8E8B027A7521A24964B25A939C83BCDA8885140584997705B8C7C52B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001032117Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:09.994{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57705-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001032116Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:09.660{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c810:29f6:689:ffff-52511-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001032115Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:09.660{2E2BE06D-6DD8-60FA-1500-00000000E601}1132C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local52511-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000001032114Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:09.660{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57704-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001032113Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:09.660{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57704-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001032112Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:09.650{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57703-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001032111Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:09.650{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57703-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001032110Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.991{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57702-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001032109Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.991{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57702-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001032108Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.901{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57701-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001032107Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.901{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57701-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001032106Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.891{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57700-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001032105Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:08.891{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57700-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 23542300x80000000000000001032104Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:09.115{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C582FD14D0DF651E1D39BA82C641C33,SHA256=3D442E96948221C93A53A05ED4F6C9DC84277F4021903EB2A8A573091479242E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894346Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:10.618{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BE4BA68D3A7C4420D43F121023105A,SHA256=483C41E8D1BCBAA81DB0EA3FBCC66D0FD3CE68443F30AD2CC27AB6A343824D10,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001032121Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:10.005{00000000-0000-0000-0000-000000000000}5808win-dc-56.attackrange.local0fe80::90d2:7368:bb37:9ac5;::ffff:10.0.1.14;<unknown process> 354300x80000000000000001032120Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:09.994{00000000-0000-0000-0000-000000000000}5808<unknown process>-tcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57705-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001032119Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:10.333{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1F93F2A6718DECD8A94DE154C02992,SHA256=7AC7133AA144B19FB84ABAA9D9E59DC1B58F94D6CE33ECCED54DC1828311068E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894345Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:01.224{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52765-false10.0.1.12-8000- 354300x80000000000000001032118Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:10.037{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57706-false10.0.1.14win-dc-56.attackrange.local389ldap 23542300x8000000000000000894347Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:11.665{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA861DD595AE7F93E9DDEE15C4155C84,SHA256=936ED7D76F36D6A93822A51AA8830D6CCD47AD9EF21ED3EC8B36F7EA5D491F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032124Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:11.349{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B302872C0E26CB1014BF83A3009073,SHA256=9EA265A49D3B32FD363B90DEB3FA81F44244C817A04A6BCF217863DA14782188,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001032123Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:10.064{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57707-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001032122Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:10.037{00000000-0000-0000-0000-000000000000}5808<unknown process>-tcptruefalse10.0.1.14win-dc-56.attackrange.local57706-false10.0.1.14win-dc-56.attackrange.local389ldap 23542300x8000000000000000894348Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:12.680{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E543958E81C19F11CEE71FDB33FFC7D,SHA256=28AE36BE4CDE626247281EBFCBAE04E2C539AEACA1ADAC4B1DF57F657179571D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001032127Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:11.158{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57708-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001032126Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:12.349{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BE783FC6B1116A65E50B45155CB1B5,SHA256=BF1DCE7667F9757C3B3C5D0E5BD7540D3F7A47F0C55EB982484DCC9CB522E998,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001032125Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:10.064{00000000-0000-0000-0000-000000000000}5808<unknown process>-tcptruefalse10.0.1.14win-dc-56.attackrange.local57707-false10.0.1.14win-dc-56.attackrange.local389ldap 23542300x80000000000000001032128Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:13.443{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EBA47A00C9907932AAA29DA7B4BE3C,SHA256=D9DE41772E553AC9AAB14581E5ABE6C4294812D4F9F31F5BE616FCBC7D79D67D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894349Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:13.696{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C21E55145C66CC3F8EE5FB51D204E67,SHA256=A1C18565C0BA8D50463842C4D59D280721F98222879D16BA766A484521EC4579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894356Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:14.696{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7851A84516BCB3A90997425898A7C634,SHA256=D8C5BC94109FC8B77E0637943755615201C874D0C88CEA3E63C265EF5D426571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032129Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:14.474{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF19396FB4D7DD3DCEEC7B7697A6C5FA,SHA256=09C1BCC6B0E8E752FDA2E523F21798C7BCBEE104C3E5734BA52E0C309CCF937E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894355Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:04.997{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse217.160.191.146-49492-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 10341000x8000000000000000894354Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:14.493{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1300-00000000E701}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894353Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:14.493{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1300-00000000E701}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894352Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:14.493{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD8-60FA-1300-00000000E701}684C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000894351Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:14.086{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AB17F2F0607A2822C48C2183130BF64,SHA256=E0B62B8DCD03828BE12C6BEB30D25932DF120E3F1EBC838455F80A06EBC4D2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894350Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:14.086{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C236AEFD5AE7BF7B55FD92A1234D08BC,SHA256=6EDF0689D32CC535FA0C7B561B19C38C42ADA212048D8A1C1B806D6495B7F40E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894357Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:15.930{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8080C14E6464E8404D68F7EB5F538D4,SHA256=3FD554789FFA2ECAC07E2B19C259C3BCF6848F79C3F25D06EDBFFDE51DCE67F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032130Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:15.490{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B0C228F6BD89E9FDA6F636B91448FE,SHA256=9E4803F7B63F24716D1BFEEEC430F663B9987C1F2C94E94FB03900BDC097D066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894359Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:16.993{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4084009E819EA68B04469979738BCF28,SHA256=5EBF6457D47A2DE52029A9E978A8488C4F8E268CE30D68174299EF10A2A7C590,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001032132Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:16.205{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57709-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001032131Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:16.490{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA02CFC556624BDD6AB009E97DE57567,SHA256=FA7F65F414A6421B7DE083F7CF29C578A66CA7A4BC7047A03516EFEB3B573500,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894358Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:07.145{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52766-false10.0.1.12-8000- 23542300x80000000000000001032134Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:17.974{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0793462D92A45583496F231CA0F172BC,SHA256=39CF07FCE42DA41C627BCE6E872ABFAEE184C9431E43ADBCF85A929EE6C1DDA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032133Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:17.505{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75AF24EDA39ABF81E01599531925F69,SHA256=0EABB740B4E0D2B74328E9CF41D33C40FB9178DF8FE39B223D480D036DCF2426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032135Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:18.521{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E2E782E8573DE5A64868CB7921B5B2,SHA256=77BEA318962DBFF54792EE0B201608C747B8D7A299900176EC758A46FEABF308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894360Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:18.024{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8EC667D6B290078CBEE75CA1F8A37E,SHA256=D2C6EC41C9203AFC357DCF1A9A1631560E17546A8C953F34410EEBB0ABF423E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032136Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:19.521{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E267A18CC5CB3F8FC1D80084D9CA4F,SHA256=72531A330BFCECA7F34F0D5E9B79168B8C9D0D93C20C37C7FD9F297B49EF5D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894361Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:19.071{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB52E2F2DE6F472D6BCDBD2C4CB0417,SHA256=B7213601EEBDF876A9B0AC546CB37BD5335159F01DC574A4E8563E248D23096D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001032147Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.localInvDBSetValue2021-07-26 08:43:20.959{2E2BE06D-6DD8-60FA-1300-00000000E601}96C:\Windows\System32\svchost.exeHKU\S-1-5-21-1382834448-4213258134-3478073696-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Mozilla Firefox\firefox.exeBinary Data 10341000x80000000000000001032146Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:20.959{2E2BE06D-6DD8-60FA-1300-00000000E601}96868C:\Windows\System32\svchost.exe{2E2BE06D-75A8-60FE-D179-00000000E601}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032145Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:20.959{2E2BE06D-6DD8-60FA-1300-00000000E601}96868C:\Windows\System32\svchost.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032144Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:20.943{2E2BE06D-CA29-60FA-510B-00000000E601}36441428C:\Windows\system32\csrss.exe{2E2BE06D-75A8-60FE-D179-00000000E601}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001032143Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:20.943{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032142Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:20.943{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032141Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:20.943{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032140Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:20.943{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032139Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:20.943{2E2BE06D-CA2C-60FA-630B-00000000E601}4728972C:\Windows\Explorer.EXE{2E2BE06D-75A8-60FE-D179-00000000E601}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\windows.storage.dll+10932|C:\Windows\System32\windows.storage.dll+10629|C:\Windows\System32\windows.storage.dll+104ff|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+18cf2c 154100x80000000000000001032138Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:20.915{2E2BE06D-75A8-60FE-D179-00000000E601}5804C:\Program Files\Mozilla Firefox\firefox.exe90.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{2E2BE06D-CA2A-60FA-99E8-600000000000}0x60e8992HighMD5=56F928829CFBB7B1149B7C838473EBAB,SHA256=CAF987FAF1C1B2A7A5CC14320A3B576B0628F4B48CED6A2DB1DB44ABEB35803D,IMPHASH=C483AB042998E5D3F9AC1D5A7C7ABDB2{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001032137Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:20.521{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596BE1FD8F5DCA22BE1E5C67EB0BC552,SHA256=17D66400512635119EFC0F55F4C467E71F7D66426B7B2499AC88DD670865AD11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894362Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:20.290{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E437ECAE746EF1E8B8424B7C7FC84434,SHA256=3C0EE12C5D0683F9C57EF287D94899D4B84481206E7A862523D3A2B10AE83EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032160Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.552{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E042B3F5AE11918D5C401993809454A,SHA256=64DE9704FDFBBD5E7CED1CD74CB39C12F4C2E2E6262FAA8F53272832730F8BAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000894364Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:12.239{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52767-false10.0.1.12-8000- 23542300x8000000000000000894363Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:21.290{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE81B0638CBF14CDB708B13BD8DE2F28,SHA256=8EDBE75FF928177C2D2278C81FD86707452387025886CDA77BA2BE02D89FBE32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032159Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.412{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032158Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.412{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032157Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.412{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DD9-60FA-1600-00000000E601}1332C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032156Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.115{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75A8-60FE-D179-00000000E601}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+6f5a|C:\Program Files\Mozilla Firefox\firefox.exe+5389|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032155Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.006{2E2BE06D-CA29-60FA-510B-00000000E601}36441428C:\Windows\system32\csrss.exe{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001032154Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.006{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032153Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.006{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032152Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.006{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032151Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.006{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032150Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.006{2E2BE06D-75A8-60FE-D179-00000000E601}58046164C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+8861|C:\Program Files\Mozilla Firefox\firefox.exe+5389|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001032149Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.016{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe90.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{2E2BE06D-CA2A-60FA-99E8-600000000000}0x60e8992MediumMD5=56F928829CFBB7B1149B7C838473EBAB,SHA256=CAF987FAF1C1B2A7A5CC14320A3B576B0628F4B48CED6A2DB1DB44ABEB35803D,IMPHASH=C483AB042998E5D3F9AC1D5A7C7ABDB2{2E2BE06D-75A8-60FE-D179-00000000E601}5804C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x80000000000000001032148Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.006{2E2BE06D-75A8-60FE-D179-00000000E601}58046164C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-CA2C-60FA-630B-00000000E601}4728C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+6f5a|C:\Program Files\Mozilla Firefox\firefox.exe+5389|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001032162Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:22.693{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FF444A94003DC764A9DC7DF262BE2F,SHA256=A4CB43965A849B550C478951ACD57C52699D735208D753B1E84AFFD14D26E124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000894365Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:22.321{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B94E8CF0CE72AC36E1A9724CBF9BD5D,SHA256=3757B8DA7639A90B003C0A14AEC6134B1FD87D725C296B28B1B1777E90852E88,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001032161Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:21.315{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57710-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000894366Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:23.477{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB586D28E33A5532448EC1753541F678,SHA256=79DA3A203C4688AAD61F2029A8F914723C3ABA5DA4A2581A1DA221CF67260A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032205Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.974{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-journalMD5=A6A535CA0A43850946A54F1CCF7A6D8F,SHA256=7AB36DAC4EF5B770A4FE0E7EE4BF333D0846D6FFEBDB396BC91F1D1BE5E22E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032204Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.974{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-journalMD5=A37606E3BBEE6C6C7DF4234D590BF5F4,SHA256=9841B19FED45FC43C0F89184B935E674AD1246D5D4BAA914E136D7278D04734D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032203Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.958{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\storage.sqlite-journalMD5=281B441DCCFA6C8CB7AFEACD64E85526,SHA256=E5B25BB8B94CCD17FDBD09C1AC9FE677A59A2C01B7DA05BAFD2CDD0A8EC381C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032202Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.943{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\storage.sqlite-journalMD5=BE4C8B6B563D582446B2DE86BC8CD893,SHA256=6B44A3216A71F92F8C0FC0AE491EDC9C980F6F03F0C55166B95E34833000D200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032201Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.943{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\storage.sqlite-journalMD5=291582C61EB781D6E19D442F009133EF,SHA256=152E619FB2BB28683C9C1BC43F443B0D02F8F9053754F278BE2252D667A46D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032200Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.927{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\times.jsonMD5=1E1A0D0CBA861FA74796E5D9A7833E7D,SHA256=6D9E60F6A301EDC20466E71AED84CAED88F28EFC85ED99A37647D1B10C830C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032199Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.927{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032198Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.927{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+1c021c|C:\Program Files\Mozilla Firefox\xul.dll+1c017a|C:\Program Files\Mozilla Firefox\xul.dll+21f0388|C:\Program Files\Mozilla Firefox\xul.dll+222d10f|C:\Program Files\Mozilla Firefox\xul.dll+c02e3d|C:\Program Files\Mozilla Firefox\xul.dll+25d9506|C:\Program Files\Mozilla Firefox\xul.dll+2141194|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001032197Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:23.927{2E2BE06D-75A9-60FE-D279-00000000E601}5380\chrome.5380.2.148680702C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001032196Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-CreatePipe2021-07-26 08:43:23.927{2E2BE06D-75A9-60FE-D279-00000000E601}5380\chrome.5380.2.148680702C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001032195Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-CreatePipe2021-07-26 08:43:23.927{2E2BE06D-75A9-60FE-D279-00000000E601}5380\chrome.5380.1.206423570C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001032194Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.740{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032193Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.740{2E2BE06D-6DD8-60FA-1000-00000000E601}3846864C:\Windows\system32\svchost.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032192Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.740{2E2BE06D-6DD8-60FA-1000-00000000E601}3841384C:\Windows\system32\svchost.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001032191Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:23.740{2E2BE06D-75AB-60FE-D379-00000000E601}5904\chrome.5380.0.105643393C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001032190Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.724{2E2BE06D-75A9-60FE-D279-00000000E601}53804800C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+13560b|C:\Program Files\Mozilla Firefox\xul.dll+122703d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001032189Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:23.724{2E2BE06D-75AB-60FE-D379-00000000E601}5904\gecko-crash-server-pipe.5380C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001032188Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.724{2E2BE06D-6DD8-60FA-1400-00000000E601}6881608C:\Windows\system32\svchost.exe{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032187Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.724{2E2BE06D-6DD8-60FA-1400-00000000E601}6881608C:\Windows\system32\svchost.exe{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032186Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.708{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032185Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.708{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032184Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.708{2E2BE06D-75A9-60FE-D279-00000000E601}53806984C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a3e37f|C:\Program Files\Mozilla Firefox\xul.dll+8ba7f4|C:\Program Files\Mozilla Firefox\xul.dll+15b14f6|C:\Program Files\Mozilla Firefox\xul.dll+1970a95|C:\Program Files\Mozilla Firefox\xul.dll+13de5|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+134af|C:\Program Files\Mozilla Firefox\xul.dll+a2d071|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032183Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.693{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032182Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.693{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032181Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.693{2E2BE06D-CA29-60FA-510B-00000000E601}36441428C:\Windows\system32\csrss.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001032180Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.693{2E2BE06D-75A9-60FE-D279-00000000E601}53801184C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+16bd491|C:\Program Files\Mozilla Firefox\xul.dll+a392d9|C:\Program Files\Mozilla Firefox\xul.dll+a37755|C:\Program Files\Mozilla Firefox\xul.dll+a3f23e|C:\Program Files\Mozilla Firefox\xul.dll+8f4eb0|C:\Program Files\Mozilla Firefox\xul.dll+15bedee|C:\Program Files\Mozilla Firefox\xul.dll+26eca|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+8f79c7|C:\Program Files\Mozilla Firefox\nss3.dll+7630d|C:\Program Files\Mozilla Firefox\nss3.dll+8e3f1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001032179Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.708{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe90.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5380.0.1056433935\612311557" -parentBuildID 20210716144314 -prefsHandle 1892 -prefMapHandle 1880 -prefsLen 1 -prefMapSize 234565 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5380 "\\.\pipe\gecko-crash-server-pipe.5380" 1960 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{2E2BE06D-CA2A-60FA-99E8-600000000000}0x60e8992MediumMD5=56F928829CFBB7B1149B7C838473EBAB,SHA256=CAF987FAF1C1B2A7A5CC14320A3B576B0628F4B48CED6A2DB1DB44ABEB35803D,IMPHASH=C483AB042998E5D3F9AC1D5A7C7ABDB2{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x80000000000000001032178Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-CreatePipe2021-07-26 08:43:23.693{2E2BE06D-75A9-60FE-D279-00000000E601}5380\chrome.5380.0.105643393C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001032177Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-CreatePipe2021-07-26 08:43:23.693{2E2BE06D-75A9-60FE-D279-00000000E601}5380\gecko-crash-server-pipe.5380C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001032176Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.662{2E2BE06D-CA2B-60FA-5D0B-00000000E601}43204564C:\Windows\system32\taskhostw.exe{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032175Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.662{2E2BE06D-CA2B-60FA-5D0B-00000000E601}43204564C:\Windows\system32\taskhostw.exe{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032174Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.662{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032173Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.662{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001032172Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.662{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032171Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.412{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\cookies.sqlite-journalMD5=E76AC104A5AED7C7B1BECEDD2283CD88,SHA256=A981D8B1B0B29B441752BA64388011395BECA8C2A053697E36E9ECE8D282C403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032170Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.318{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\permissions.sqlite-journalMD5=7D70682F0853A32A080500CC2178B79C,SHA256=CE4A86255DF34A0596616931148C98A35A376966FBC6A5097FE4983E3BF8F267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032169Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.302{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\permissions.sqlite-journalMD5=3C661DA88569CAF8004137B8CAAF362C,SHA256=AF424321B189786DDFFDA92B1129518EB5308EC3ECD5D31B05CEC8B56950AF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032168Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.302{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\cookies.sqlite-journalMD5=D0B89205563182CA179C6647B6C3E551,SHA256=3D83932C37641BE5CA79275379BA97FDC676213A689529860353409037614017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032167Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.302{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\permissions.sqlite-journalMD5=28F9C87A878B6CDAA6066514DCDF3858,SHA256=3BBC61A50B05B2CBE1D85890004B603E816D18B6C7B4BE0BDC35C69184603EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032166Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.287{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\cookies.sqlite-journalMD5=7989B9E83A0212186D4439ACC7571BCD,SHA256=ABC6EE13FC340BB552AD28B84770551EEDD265BC2F2CA73D2542076127D59351,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032165Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.115{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032164Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.115{2E2BE06D-6DD8-60FA-1000-00000000E601}3846864C:\Windows\system32\svchost.exe{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032163Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:23.115{2E2BE06D-6DD8-60FA-1000-00000000E601}3841384C:\Windows\system32\svchost.exe{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000894367Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:43:24.493{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26571807E4016D0B140884B59A74E3A,SHA256=38F2BA735B637F250EDD2E0D72E4FEE692627E51EDB9F369ED784B8489A51570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032521Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.987{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB28E056A554FC1D7EFB0534D431F7C4,SHA256=2B08E386E08A748E11E91912B2DA56198D135B53C11A5FBAD501757C07DBFAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032520Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.969{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032519Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.969{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D479-00000000E601}6640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a84bb8|C:\Program Files\Mozilla Firefox\xul.dll+22018d2|C:\Program Files\Mozilla Firefox\xul.dll+349144c|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001032518Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.954{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66724849FF2626FF23376F0C217BABE4,SHA256=4A1EA26139A0C797F995F78F35DB9556016E9E90778A317B8811F5B26DCA18DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032517Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.891{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\favicons.sqlite-walMD5=84E9A219DAF22A60014BEC64CE901F95,SHA256=1D43D6B60A94F0D088D59038D66D05DF5E91C2EAFF837E1C59997C28AA66F5E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032516Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.890{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\favicons.sqlite-shmMD5=6942D70D7C58CA13395A9E244CC39C03,SHA256=4235C2E07CB59F55AF4D6910BEEAD52C5001E86E84E98B18C6E6A8508395B38E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032515Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.869{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\favicons.sqlite-journalMD5=EBFE82C535016D6714A7147320443441,SHA256=0372243709A02A3F985A3B264F8B4D4576EE2A042AAAF0B65BC81F88915EC2AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032514Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.869{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walMD5=2068708E191F4ED29835EC74EA4FB71A,SHA256=0DA1093533980658DAE85DFCA96D8FCAC7B9BB416EDD5C2A2545C2FFF100D1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032513Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.869{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=7DA0887FB7C7A9BD7594696FB3D6BB99,SHA256=6FE026276C366EE52DD4AE9B158BF49192751B9705F966E512BE44D58BFC0956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032512Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.869{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\favicons.sqlite-journalMD5=2F27F8D980796B35C6A30513B998C3FC,SHA256=ADAAC297EBD2EE4414A90A4DBE875DD2E28B1D77F966AF0912AF308A6C29500A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032511Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.869{2E2BE06D-75A9-60FE-D279-00000000E601}53806712C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38100|C:\Program Files\Mozilla Firefox\firefox.exe+37ff6|C:\Program Files\Mozilla Firefox\firefox.exe+49560|C:\Program Files\Mozilla Firefox\firefox.exe+4925c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032510Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.869{2E2BE06D-75A9-60FE-D279-00000000E601}53806712C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38100|C:\Program Files\Mozilla Firefox\firefox.exe+37ff6|C:\Program Files\Mozilla Firefox\firefox.exe+49560|C:\Program Files\Mozilla Firefox\firefox.exe+4925c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001032509Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.854{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\places.sqlite-journalMD5=B22AA8DD5AB19F314F5F9A5140727367,SHA256=D01FE4D9EF095DD25CECA8AAF3BDD5352496F8875859259BA5B9685B3BF6BB9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032508Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.854{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\storage\default\moz-extension+++b11aa9bb-e731-4efb-b5e3-46a534f00047^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-walMD5=931386FD6B3E1BA373A07AE9CC0783D7,SHA256=D252DC573F4320149A1ACB51CE4C8E7B74B7F712FF2D0D9B036940BFF56F026E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032507Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.854{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\storage\default\moz-extension+++b11aa9bb-e731-4efb-b5e3-46a534f00047^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-shmMD5=66D9FE71533FC9D2C64AB859AE0605E6,SHA256=704EF63C9265CE1353A4C1966F9C6117843B6049E4379B8CD263DE5032C67431,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032506Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.838{2E2BE06D-75A9-60FE-D279-00000000E601}53806712C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38100|C:\Program Files\Mozilla Firefox\firefox.exe+37ff6|C:\Program Files\Mozilla Firefox\firefox.exe+49560|C:\Program Files\Mozilla Firefox\firefox.exe+4925c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032505Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.838{2E2BE06D-75A9-60FE-D279-00000000E601}53806712C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+38100|C:\Program Files\Mozilla Firefox\firefox.exe+37ff6|C:\Program Files\Mozilla Firefox\firefox.exe+49560|C:\Program Files\Mozilla Firefox\firefox.exe+4925c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001032504Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.822{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\storage\default\moz-extension+++b11aa9bb-e731-4efb-b5e3-46a534f00047^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-journalMD5=825953D8357E3B532ABABB1B95EF5DFB,SHA256=D02DAE21F0F4E4C19734197FD3B73BD6672B410E355849A55AC1DB99C6DAB697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032503Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.822{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\storage\default\moz-extension+++b11aa9bb-e731-4efb-b5e3-46a534f00047^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-journalMD5=A8CE695E6AA9A451EA862AF342A4A086,SHA256=1127A5F7738CE9656387A759E3A38813916ECB36782D51A02471EFAF5E2057F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032502Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.822{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\webappsstore.sqlite-journalMD5=20B0363B93CEC661B2AF570C23E07DD2,SHA256=29F305F5990F0569F0EE4FA2AD8AE2137F2113263BC484EF21608E0DC7C8F5E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032501Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+edfdee|C:\Program Files\Mozilla Firefox\xul.dll+2968a2|C:\Program Files\Mozilla Firefox\xul.dll+2957af|C:\Program Files\Mozilla Firefox\xul.dll+29559a|C:\Program Files\Mozilla Firefox\xul.dll+ef8dd7|C:\Program Files\Mozilla Firefox\xul.dll+368f1b0|C:\Program Files\Mozilla Firefox\xul.dll+efbf7c|C:\Program Files\Mozilla Firefox\xul.dll+efa554|C:\Program Files\Mozilla Firefox\xul.dll+ef53c4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802708D38A8)|UNKNOWN(FFFF858266AA5B68)|UNKNOWN(FFFF858266A99D58)|UNKNOWN(FFFF858266A999DD)|UNKNOWN(FFFFF802705EB103)|C:\Windows\System32\win32u.dll+1764|C:\Windows\System32\USER32.dll+11baf|C:\Program Files\Mozilla Firefox\xul.dll+1779048 10341000x80000000000000001032500Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+edfdc7|C:\Program Files\Mozilla Firefox\xul.dll+2968a2|C:\Program Files\Mozilla Firefox\xul.dll+2957af|C:\Program Files\Mozilla Firefox\xul.dll+29559a|C:\Program Files\Mozilla Firefox\xul.dll+ef8dd7|C:\Program Files\Mozilla Firefox\xul.dll+368f1b0|C:\Program Files\Mozilla Firefox\xul.dll+efbf7c|C:\Program Files\Mozilla Firefox\xul.dll+efa554|C:\Program Files\Mozilla Firefox\xul.dll+ef53c4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802708D38A8)|UNKNOWN(FFFF858266AA5B68)|UNKNOWN(FFFF858266A99D58)|UNKNOWN(FFFF858266A999DD)|UNKNOWN(FFFFF802705EB103)|C:\Windows\System32\win32u.dll+1764|C:\Windows\System32\USER32.dll+11baf|C:\Program Files\Mozilla Firefox\xul.dll+1779048 10341000x80000000000000001032499Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+edfd9c|C:\Program Files\Mozilla Firefox\xul.dll+2968a2|C:\Program Files\Mozilla Firefox\xul.dll+2957af|C:\Program Files\Mozilla Firefox\xul.dll+29559a|C:\Program Files\Mozilla Firefox\xul.dll+ef8dd7|C:\Program Files\Mozilla Firefox\xul.dll+368f1b0|C:\Program Files\Mozilla Firefox\xul.dll+efbf7c|C:\Program Files\Mozilla Firefox\xul.dll+efa554|C:\Program Files\Mozilla Firefox\xul.dll+ef53c4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802708D38A8)|UNKNOWN(FFFF858266AA5B68)|UNKNOWN(FFFF858266A99D58)|UNKNOWN(FFFF858266A999DD)|UNKNOWN(FFFFF802705EB103)|C:\Windows\System32\win32u.dll+1764|C:\Windows\System32\USER32.dll+11baf|C:\Program Files\Mozilla Firefox\xul.dll+1779048 10341000x80000000000000001032498Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032497Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032496Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032495Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032494Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032493Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032492Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032491Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032490Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032489Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032488Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032487Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032486Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032485Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032484Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032483Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032482Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032481Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-6DD6-60FA-0B00-00000000E601}6366360C:\Windows\system32\lsass.exe{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032480Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-6DD6-60FA-0B00-00000000E601}6366360C:\Windows\system32\lsass.exe{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032479Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.807{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+ab8ee9|C:\Program Files\Mozilla Firefox\xul.dll+a16962|C:\Program Files\Mozilla Firefox\xul.dll+8f3aea|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001032478Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.791{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\r9rcglvc.default-release\storage.sqlite-journalMD5=DC55259572731538AB7552574BCA0A5F,SHA256=EDAD4E48B6D1DB98B16BE809FC4FB3D7C90043E4AF04F47876AA405AD971E916,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032477Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.791{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+edfdee|C:\Program Files\Mozilla Firefox\xul.dll+2968a2|C:\Program Files\Mozilla Firefox\xul.dll+2957af|C:\Program Files\Mozilla Firefox\xul.dll+29559a|C:\Program Files\Mozilla Firefox\xul.dll+ef8dd7|C:\Program Files\Mozilla Firefox\xul.dll+1a6b699|C:\Program Files\Mozilla Firefox\xul.dll+1a6c4de|C:\Program Files\Mozilla Firefox\xul.dll+1a6c4de|C:\Program Files\Mozilla Firefox\xul.dll+1a6e08d|C:\Program Files\Mozilla Firefox\xul.dll+16d0a7f|C:\Program Files\Mozilla Firefox\xul.dll+f26cff|C:\Program Files\Mozilla Firefox\xul.dll+1a69ee3|C:\Program Files\Mozilla Firefox\xul.dll+16d12c6|C:\Program Files\Mozilla Firefox\xul.dll+f3dc7b|C:\Program Files\Mozilla Firefox\xul.dll+1193f0a|C:\Program Files\Mozilla Firefox\xul.dll+1193a79|C:\Program Files\Mozilla Firefox\xul.dll+199b8fc|C:\Program Files\Mozilla Firefox\xul.dll+b350ca|C:\Program Files\Mozilla Firefox\xul.dll+108aa6|C:\Program Files\Mozilla Firefox\xul.dll+127e6f|C:\Program Files\Mozilla Firefox\xul.dll+11999a9 10341000x80000000000000001032476Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.791{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+edfdc7|C:\Program Files\Mozilla Firefox\xul.dll+2968a2|C:\Program Files\Mozilla Firefox\xul.dll+2957af|C:\Program Files\Mozilla Firefox\xul.dll+29559a|C:\Program Files\Mozilla Firefox\xul.dll+ef8dd7|C:\Program Files\Mozilla Firefox\xul.dll+1a6b699|C:\Program Files\Mozilla Firefox\xul.dll+1a6c4de|C:\Program Files\Mozilla Firefox\xul.dll+1a6c4de|C:\Program Files\Mozilla Firefox\xul.dll+1a6e08d|C:\Program Files\Mozilla Firefox\xul.dll+16d0a7f|C:\Program Files\Mozilla Firefox\xul.dll+f26cff|C:\Program Files\Mozilla Firefox\xul.dll+1a69ee3|C:\Program Files\Mozilla Firefox\xul.dll+16d12c6|C:\Program Files\Mozilla Firefox\xul.dll+f3dc7b|C:\Program Files\Mozilla Firefox\xul.dll+1193f0a|C:\Program Files\Mozilla Firefox\xul.dll+1193a79|C:\Program Files\Mozilla Firefox\xul.dll+199b8fc|C:\Program Files\Mozilla Firefox\xul.dll+b350ca|C:\Program Files\Mozilla Firefox\xul.dll+108aa6|C:\Program Files\Mozilla Firefox\xul.dll+127e6f|C:\Program Files\Mozilla Firefox\xul.dll+11999a9 10341000x80000000000000001032475Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.791{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+edfd9c|C:\Program Files\Mozilla Firefox\xul.dll+2968a2|C:\Program Files\Mozilla Firefox\xul.dll+2957af|C:\Program Files\Mozilla Firefox\xul.dll+29559a|C:\Program Files\Mozilla Firefox\xul.dll+ef8dd7|C:\Program Files\Mozilla Firefox\xul.dll+1a6b699|C:\Program Files\Mozilla Firefox\xul.dll+1a6c4de|C:\Program Files\Mozilla Firefox\xul.dll+1a6c4de|C:\Program Files\Mozilla Firefox\xul.dll+1a6e08d|C:\Program Files\Mozilla Firefox\xul.dll+16d0a7f|C:\Program Files\Mozilla Firefox\xul.dll+f26cff|C:\Program Files\Mozilla Firefox\xul.dll+1a69ee3|C:\Program Files\Mozilla Firefox\xul.dll+16d12c6|C:\Program Files\Mozilla Firefox\xul.dll+f3dc7b|C:\Program Files\Mozilla Firefox\xul.dll+1193f0a|C:\Program Files\Mozilla Firefox\xul.dll+1193a79|C:\Program Files\Mozilla Firefox\xul.dll+199b8fc|C:\Program Files\Mozilla Firefox\xul.dll+b350ca|C:\Program Files\Mozilla Firefox\xul.dll+108aa6|C:\Program Files\Mozilla Firefox\xul.dll+127e6f|C:\Program Files\Mozilla Firefox\xul.dll+11999a9 10341000x80000000000000001032474Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.790{2E2BE06D-75A9-60FE-D279-00000000E601}53805744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D679-00000000E601}6660C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+a409b1|C:\Program Files\Mozilla Firefox\xul.dll+aa29a5|C:\Program Files\Mozilla Firefox\xul.dll+cf601|C:\Program Files\Mozilla Firefox\xul.dll+1973a3f|C:\Program Files\Mozilla Firefox\xul.dll+15bf73c|C:\Program Files\Mozilla Firefox\xul.dll+26e02|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+8f79c7|C:\Program Files\Mozilla Firefox\nss3.dll+7630d|C:\Program Files\Mozilla Firefox\nss3.dll+8e3f1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032473Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.788{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D679-00000000E601}6660C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a84bb8|C:\Program Files\Mozilla Firefox\xul.dll+a45567|C:\Program Files\Mozilla Firefox\xul.dll+a91ad9|C:\Program Files\Mozilla Firefox\xul.dll+e65af8|C:\Program Files\Mozilla Firefox\xul.dll+197c89a|C:\Program Files\Mozilla Firefox\xul.dll+1973a3f|C:\Program Files\Mozilla Firefox\xul.dll+19532da|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a|C:\Program Files\Mozilla Firefox\xul.dll+40c9abd|C:\Program Files\Mozilla Firefox\xul.dll+40ca748|C:\Program Files\Mozilla Firefox\xul.dll+1dd7883|C:\Program Files\Mozilla Firefox\firefox.exe+5831|C:\Program Files\Mozilla Firefox\firefox.exe+1bad8|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001032472Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:24.788{2E2BE06D-75A9-60FE-D279-00000000E601}5380\cubeb-pipe-5380-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001032471Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-CreatePipe2021-07-26 08:43:24.788{2E2BE06D-75A9-60FE-D279-00000000E601}5380\cubeb-pipe-5380-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001032470Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.738{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D679-00000000E601}6660C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a85c98|C:\Program Files\Mozilla Firefox\xul.dll+e70182|C:\Program Files\Mozilla Firefox\xul.dll+220fbb|C:\Program Files\Mozilla Firefox\xul.dll+cb7f34|C:\Program Files\Mozilla Firefox\xul.dll+1656178|C:\Program Files\Mozilla Firefox\xul.dll+161a3d8|C:\Program Files\Mozilla Firefox\xul.dll+1b20427|C:\Program Files\Mozilla Firefox\xul.dll+16e0ab7|C:\Program Files\Mozilla Firefox\xul.dll+168d5b6|UNKNOWN(000000BD8F211E84) 10341000x80000000000000001032469Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.738{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a85c98|C:\Program Files\Mozilla Firefox\xul.dll+e70182|C:\Program Files\Mozilla Firefox\xul.dll+220fbb|C:\Program Files\Mozilla Firefox\xul.dll+cb7f34|C:\Program Files\Mozilla Firefox\xul.dll+1656178|C:\Program Files\Mozilla Firefox\xul.dll+161a3d8|C:\Program Files\Mozilla Firefox\xul.dll+1b20427|C:\Program Files\Mozilla Firefox\xul.dll+16e0ab7|C:\Program Files\Mozilla Firefox\xul.dll+168d5b6|UNKNOWN(000000BD8F211E84) 10341000x80000000000000001032468Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.738{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D479-00000000E601}6640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a85c98|C:\Program Files\Mozilla Firefox\xul.dll+e70182|C:\Program Files\Mozilla Firefox\xul.dll+220fbb|C:\Program Files\Mozilla Firefox\xul.dll+cb7f34|C:\Program Files\Mozilla Firefox\xul.dll+1656178|C:\Program Files\Mozilla Firefox\xul.dll+161a3d8|C:\Program Files\Mozilla Firefox\xul.dll+1b20427|C:\Program Files\Mozilla Firefox\xul.dll+16e0ab7|C:\Program Files\Mozilla Firefox\xul.dll+168d5b6|UNKNOWN(000000BD8F211E84) 10341000x80000000000000001032467Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.738{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D679-00000000E601}6660C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a85c98|C:\Program Files\Mozilla Firefox\xul.dll+e70182|C:\Program Files\Mozilla Firefox\xul.dll+220fbb|C:\Program Files\Mozilla Firefox\xul.dll+cb7f34|C:\Program Files\Mozilla Firefox\xul.dll+1656178|C:\Program Files\Mozilla Firefox\xul.dll+161a3d8|C:\Program Files\Mozilla Firefox\xul.dll+1b20427|C:\Program Files\Mozilla Firefox\xul.dll+16e0ab7|C:\Program Files\Mozilla Firefox\xul.dll+168d5b6|UNKNOWN(000000BD8F211E84) 10341000x80000000000000001032466Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.738{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a85c98|C:\Program Files\Mozilla Firefox\xul.dll+e70182|C:\Program Files\Mozilla Firefox\xul.dll+220fbb|C:\Program Files\Mozilla Firefox\xul.dll+cb7f34|C:\Program Files\Mozilla Firefox\xul.dll+1656178|C:\Program Files\Mozilla Firefox\xul.dll+161a3d8|C:\Program Files\Mozilla Firefox\xul.dll+1b20427|C:\Program Files\Mozilla Firefox\xul.dll+16e0ab7|C:\Program Files\Mozilla Firefox\xul.dll+168d5b6|UNKNOWN(000000BD8F211E84) 10341000x80000000000000001032465Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.738{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D479-00000000E601}6640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a85c98|C:\Program Files\Mozilla Firefox\xul.dll+e70182|C:\Program Files\Mozilla Firefox\xul.dll+220fbb|C:\Program Files\Mozilla Firefox\xul.dll+cb7f34|C:\Program Files\Mozilla Firefox\xul.dll+1656178|C:\Program Files\Mozilla Firefox\xul.dll+161a3d8|C:\Program Files\Mozilla Firefox\xul.dll+1b20427|C:\Program Files\Mozilla Firefox\xul.dll+16e0ab7|C:\Program Files\Mozilla Firefox\xul.dll+168d5b6|UNKNOWN(000000BD8F211E84) 10341000x80000000000000001032464Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.738{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D679-00000000E601}6660C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a85c98|C:\Program Files\Mozilla Firefox\xul.dll+e70182|C:\Program Files\Mozilla Firefox\xul.dll+220fbb|C:\Program Files\Mozilla Firefox\xul.dll+cb7f34|C:\Program Files\Mozilla Firefox\xul.dll+1656178|C:\Program Files\Mozilla Firefox\xul.dll+161a3d8|C:\Program Files\Mozilla Firefox\xul.dll+1b20427|C:\Program Files\Mozilla Firefox\xul.dll+1b29a49|C:\Program Files\Mozilla Firefox\xul.dll+1cb1266|UNKNOWN(000000BD8F213E5F) 10341000x80000000000000001032463Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.738{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a85c98|C:\Program Files\Mozilla Firefox\xul.dll+e70182|C:\Program Files\Mozilla Firefox\xul.dll+220fbb|C:\Program Files\Mozilla Firefox\xul.dll+cb7f34|C:\Program Files\Mozilla Firefox\xul.dll+1656178|C:\Program Files\Mozilla Firefox\xul.dll+161a3d8|C:\Program Files\Mozilla Firefox\xul.dll+1b20427|C:\Program Files\Mozilla Firefox\xul.dll+1b29a49|C:\Program Files\Mozilla Firefox\xul.dll+1cb1266|UNKNOWN(000000BD8F213E5F) 10341000x80000000000000001032462Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.738{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D479-00000000E601}6640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a85c98|C:\Program Files\Mozilla Firefox\xul.dll+e70182|C:\Program Files\Mozilla Firefox\xul.dll+220fbb|C:\Program Files\Mozilla Firefox\xul.dll+cb7f34|C:\Program Files\Mozilla Firefox\xul.dll+1656178|C:\Program Files\Mozilla Firefox\xul.dll+161a3d8|C:\Program Files\Mozilla Firefox\xul.dll+1b20427|C:\Program Files\Mozilla Firefox\xul.dll+1b29a49|C:\Program Files\Mozilla Firefox\xul.dll+1cb1266|UNKNOWN(000000BD8F213E5F) 10341000x80000000000000001032461Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.738{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D679-00000000E601}6660C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a85c98|C:\Program Files\Mozilla Firefox\xul.dll+e70182|C:\Program Files\Mozilla Firefox\xul.dll+220fbb|C:\Program Files\Mozilla Firefox\xul.dll+cb7f34|C:\Program Files\Mozilla Firefox\xul.dll+1656178|C:\Program Files\Mozilla Firefox\xul.dll+161a3d8|C:\Program Files\Mozilla Firefox\xul.dll+1b20427|C:\Program Files\Mozilla Firefox\xul.dll+1b12fc4|C:\Program Files\Mozilla Firefox\xul.dll+75804|C:\Program Files\Mozilla Firefox\xul.dll+1258178|C:\Program Files\Mozilla Firefox\xul.dll+8c061|C:\Program Files\Mozilla Firefox\xul.dll+8bfb8|C:\Program Files\Mozilla Firefox\xul.dll+af8c40|C:\Program Files\Mozilla Firefox\xul.dll+882e2|C:\Program Files\Mozilla Firefox\xul.dll+c51d6b|C:\Program Files\Mozilla Firefox\xul.dll+1651cb2|C:\Program Files\Mozilla Firefox\xul.dll+1b6b375|C:\Program Files\Mozilla Firefox\xul.dll+1b2170d|C:\Program Files\Mozilla Firefox\xul.dll+16e0ab7|C:\Program Files\Mozilla Firefox\xul.dll+1992691 10341000x80000000000000001032460Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.738{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D579-00000000E601}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a85c98|C:\Program Files\Mozilla Firefox\xul.dll+e70182|C:\Program Files\Mozilla Firefox\xul.dll+220fbb|C:\Program Files\Mozilla Firefox\xul.dll+cb7f34|C:\Program Files\Mozilla Firefox\xul.dll+1656178|C:\Program Files\Mozilla Firefox\xul.dll+161a3d8|C:\Program Files\Mozilla Firefox\xul.dll+1b20427|C:\Program Files\Mozilla Firefox\xul.dll+1b12fc4|C:\Program Files\Mozilla Firefox\xul.dll+75804|C:\Program Files\Mozilla Firefox\xul.dll+1258178|C:\Program Files\Mozilla Firefox\xul.dll+8c061|C:\Program Files\Mozilla Firefox\xul.dll+8bfb8|C:\Program Files\Mozilla Firefox\xul.dll+af8c40|C:\Program Files\Mozilla Firefox\xul.dll+882e2|C:\Program Files\Mozilla Firefox\xul.dll+c51d6b|C:\Program Files\Mozilla Firefox\xul.dll+1651cb2|C:\Program Files\Mozilla Firefox\xul.dll+1b6b375|C:\Program Files\Mozilla Firefox\xul.dll+1b2170d|C:\Program Files\Mozilla Firefox\xul.dll+16e0ab7|C:\Program Files\Mozilla Firefox\xul.dll+1992691 10341000x80000000000000001032459Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.738{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AC-60FE-D479-00000000E601}6640C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a36cdf|C:\Program Files\Mozilla Firefox\xul.dll+a85c98|C:\Program Files\Mozilla Firefox\xul.dll+e70182|C:\Program Files\Mozilla Firefox\xul.dll+220fbb|C:\Program Files\Mozilla Firefox\xul.dll+cb7f34|C:\Program Files\Mozilla Firefox\xul.dll+1656178|C:\Program Files\Mozilla Firefox\xul.dll+161a3d8|C:\Program Files\Mozilla Firefox\xul.dll+1b20427|C:\Program Files\Mozilla Firefox\xul.dll+1b12fc4|C:\Program Files\Mozilla Firefox\xul.dll+75804|C:\Program Files\Mozilla Firefox\xul.dll+1258178|C:\Program Files\Mozilla Firefox\xul.dll+8c061|C:\Program Files\Mozilla Firefox\xul.dll+8bfb8|C:\Program Files\Mozilla Firefox\xul.dll+af8c40|C:\Program Files\Mozilla Firefox\xul.dll+882e2|C:\Program Files\Mozilla Firefox\xul.dll+c51d6b|C:\Program Files\Mozilla Firefox\xul.dll+1651cb2|C:\Program Files\Mozilla Firefox\xul.dll+1b6b375|C:\Program Files\Mozilla Firefox\xul.dll+1b2170d|C:\Program Files\Mozilla Firefox\xul.dll+16e0ab7|C:\Program Files\Mozilla Firefox\xul.dll+1992691 23542300x80000000000000001032458Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.707{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\R9RCGL~1.DEF\key4.db-journalMD5=2B37D8F4F4B51B1D32692B874FE16DAE,SHA256=3FC6C92DB1081894D83D56AADAFDDBFAF52C6A76206CDC45F8E70900E2AB786D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032457Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.691{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\R9RCGL~1.DEF\key4.db-journalMD5=09F53116201F8278497B935A1EFCE453,SHA256=CF05AD4D625A3FD8FB0F27ED974E799AC500A232553C8F26EBBF8F0440F2AD60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001032456Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.691{2E2BE06D-75A9-60FE-D279-00000000E601}5380ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\R9RCGL~1.DEF\cert9.db-journalMD5=F27B6081B7414D287F960D168B7D2278,SHA256=679B6ADF1D14CA21938871E64D62088F33825DBAF7D9905BC71681A628DA0B18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001032455Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.653{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\R9RCGL~1.DEF\pkcs11.txt2021-07-26 08:43:24.653 23542300x80000000000000001032454Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.622{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AEE15400B3920F6A8069F61E05ECFE,SHA256=91ABA5EC7F2AA2173A71BD9195A6EFD4D1E2F438815605CB3D426BF90A889D47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001032453Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.607{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+2512326|C:\Program Files\Mozilla Firefox\xul.dll+24cb3e3|C:\Program Files\Mozilla Firefox\xul.dll+24cb886|C:\Program Files\Mozilla Firefox\xul.dll+24cba3f|C:\Program Files\Mozilla Firefox\xul.dll+250bee7|C:\Program Files\Mozilla Firefox\xul.dll+346a92|C:\Program Files\Mozilla Firefox\xul.dll+fbc0c5|C:\Program Files\Mozilla Firefox\xul.dll+c20b84|C:\Program Files\Mozilla Firefox\xul.dll+34638d|C:\Program Files\Mozilla Firefox\xul.dll+3dd37b|C:\Program Files\Mozilla Firefox\xul.dll+3dcb6d|C:\Program Files\Mozilla Firefox\xul.dll+c0a41a|C:\Program Files\Mozilla Firefox\xul.dll+195366b|C:\Program Files\Mozilla Firefox\xul.dll+15be76e|C:\Program Files\Mozilla Firefox\xul.dll+1974caa|C:\Program Files\Mozilla Firefox\xul.dll+a2f85f|C:\Program Files\Mozilla Firefox\xul.dll+26cce|C:\Program Files\Mozilla Firefox\xul.dll+1a41e8|C:\Program Files\Mozilla Firefox\xul.dll+1a307f|C:\Program Files\Mozilla Firefox\xul.dll+405de1a 10341000x80000000000000001032452Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-6DD8-60FA-1400-00000000E601}6881608C:\Windows\system32\svchost.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032451Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+2512326|C:\Program Files\Mozilla Firefox\xul.dll+24cb3e3|C:\Program Files\Mozilla Firefox\xul.dll+24cb83d|C:\Program Files\Mozilla Firefox\xul.dll+25121cd|C:\Program Files\Mozilla Firefox\xul.dll+c140a6|C:\Program Files\Mozilla Firefox\xul.dll+c128b8|C:\Program Files\Mozilla Firefox\xul.dll+263307a|C:\Program Files\Mozilla Firefox\xul.dll+2629c0f|C:\Program Files\Mozilla Firefox\xul.dll+26333e6|C:\Program Files\Mozilla Firefox\xul.dll+3844f82|C:\Program Files\Mozilla Firefox\xul.dll+384525d|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+25022da|C:\Program Files\Mozilla Firefox\xul.dll+2509923|C:\Program Files\Mozilla Firefox\xul.dll+fdb273|C:\Program Files\Mozilla Firefox\xul.dll+2e9816|C:\Program Files\Mozilla Firefox\xul.dll+2e2a42|C:\Program Files\Mozilla Firefox\xul.dll+ec13eb|C:\Program Files\Mozilla Firefox\xul.dll+ec0dd4 10341000x80000000000000001032450Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+2512326|C:\Program Files\Mozilla Firefox\xul.dll+24cb3e3|C:\Program Files\Mozilla Firefox\xul.dll+24cb83d|C:\Program Files\Mozilla Firefox\xul.dll+25121cd|C:\Program Files\Mozilla Firefox\xul.dll+c140a6|C:\Program Files\Mozilla Firefox\xul.dll+c128b8|C:\Program Files\Mozilla Firefox\xul.dll+263307a|C:\Program Files\Mozilla Firefox\xul.dll+2629c0f|C:\Program Files\Mozilla Firefox\xul.dll+26333e6|C:\Program Files\Mozilla Firefox\xul.dll+3844f82|C:\Program Files\Mozilla Firefox\xul.dll+384525d|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+25022da|C:\Program Files\Mozilla Firefox\xul.dll+2509923|C:\Program Files\Mozilla Firefox\xul.dll+fdb273|C:\Program Files\Mozilla Firefox\xul.dll+2e9816|C:\Program Files\Mozilla Firefox\xul.dll+2e2a42|C:\Program Files\Mozilla Firefox\xul.dll+ec13eb|C:\Program Files\Mozilla Firefox\xul.dll+ec0dd4 10341000x80000000000000001032449Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+2512326|C:\Program Files\Mozilla Firefox\xul.dll+24cb3e3|C:\Program Files\Mozilla Firefox\xul.dll+24cb83d|C:\Program Files\Mozilla Firefox\xul.dll+25121cd|C:\Program Files\Mozilla Firefox\xul.dll+c140a6|C:\Program Files\Mozilla Firefox\xul.dll+c128b8|C:\Program Files\Mozilla Firefox\xul.dll+263307a|C:\Program Files\Mozilla Firefox\xul.dll+2629c0f|C:\Program Files\Mozilla Firefox\xul.dll+26333e6|C:\Program Files\Mozilla Firefox\xul.dll+3844f82|C:\Program Files\Mozilla Firefox\xul.dll+384525d|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+25022da|C:\Program Files\Mozilla Firefox\xul.dll+2509923|C:\Program Files\Mozilla Firefox\xul.dll+fdb273|C:\Program Files\Mozilla Firefox\xul.dll+2e9816|C:\Program Files\Mozilla Firefox\xul.dll+2e2a42|C:\Program Files\Mozilla Firefox\xul.dll+ec13eb|C:\Program Files\Mozilla Firefox\xul.dll+ec0dd4 10341000x80000000000000001032448Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-6DD8-60FA-1400-00000000E601}6881608C:\Windows\system32\svchost.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032447Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+2512326|C:\Program Files\Mozilla Firefox\xul.dll+24cb3e3|C:\Program Files\Mozilla Firefox\xul.dll+24cb83d|C:\Program Files\Mozilla Firefox\xul.dll+25121cd|C:\Program Files\Mozilla Firefox\xul.dll+c140a6|C:\Program Files\Mozilla Firefox\xul.dll+c128b8|C:\Program Files\Mozilla Firefox\xul.dll+263307a|C:\Program Files\Mozilla Firefox\xul.dll+2629c0f|C:\Program Files\Mozilla Firefox\xul.dll+26333e6|C:\Program Files\Mozilla Firefox\xul.dll+3844f82|C:\Program Files\Mozilla Firefox\xul.dll+384525d|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+25022da|C:\Program Files\Mozilla Firefox\xul.dll+2509923|C:\Program Files\Mozilla Firefox\xul.dll+fdb273|C:\Program Files\Mozilla Firefox\xul.dll+2e9816|C:\Program Files\Mozilla Firefox\xul.dll+2e2a42|C:\Program Files\Mozilla Firefox\xul.dll+ec13eb|C:\Program Files\Mozilla Firefox\xul.dll+ec0dd4 10341000x80000000000000001032446Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+2512326|C:\Program Files\Mozilla Firefox\xul.dll+24cb3e3|C:\Program Files\Mozilla Firefox\xul.dll+24cb83d|C:\Program Files\Mozilla Firefox\xul.dll+25121cd|C:\Program Files\Mozilla Firefox\xul.dll+c140a6|C:\Program Files\Mozilla Firefox\xul.dll+c128b8|C:\Program Files\Mozilla Firefox\xul.dll+263307a|C:\Program Files\Mozilla Firefox\xul.dll+2629c0f|C:\Program Files\Mozilla Firefox\xul.dll+26333e6|C:\Program Files\Mozilla Firefox\xul.dll+3844f82|C:\Program Files\Mozilla Firefox\xul.dll+384525d|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+25022da|C:\Program Files\Mozilla Firefox\xul.dll+2509923|C:\Program Files\Mozilla Firefox\xul.dll+fdb273|C:\Program Files\Mozilla Firefox\xul.dll+2e9816|C:\Program Files\Mozilla Firefox\xul.dll+2e2a42|C:\Program Files\Mozilla Firefox\xul.dll+ec13eb|C:\Program Files\Mozilla Firefox\xul.dll+ec0dd4 10341000x80000000000000001032445Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-CA2C-60FA-630B-00000000E601}47284840C:\Windows\Explorer.EXE{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032444Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+a465a9|C:\Program Files\Mozilla Firefox\xul.dll+a464ca|C:\Program Files\Mozilla Firefox\xul.dll+a44820|C:\Program Files\Mozilla Firefox\xul.dll+a44ac4|C:\Program Files\Mozilla Firefox\xul.dll+24e6bbb|C:\Program Files\Mozilla Firefox\xul.dll+24e69ad|C:\Program Files\Mozilla Firefox\xul.dll+24e6786|C:\Program Files\Mozilla Firefox\xul.dll+24e7bd6|C:\Program Files\Mozilla Firefox\xul.dll+24fab74|C:\Program Files\Mozilla Firefox\xul.dll+24018f7|C:\Program Files\Mozilla Firefox\xul.dll+24ea284|C:\Program Files\Mozilla Firefox\xul.dll+24e9f1f|C:\Program Files\Mozilla Firefox\xul.dll+24ebbbf|C:\Program Files\Mozilla Firefox\xul.dll+261f6c3|C:\Program Files\Mozilla Firefox\xul.dll+bfa14f|C:\Program Files\Mozilla Firefox\xul.dll+18cdd8d|C:\Program Files\Mozilla Firefox\xul.dll+bfe83c|C:\Program Files\Mozilla Firefox\xul.dll+18cd27e|C:\Program Files\Mozilla Firefox\xul.dll+f8aca0|C:\Program Files\Mozilla Firefox\xul.dll+f8aa40 10341000x80000000000000001032443Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+2512326|C:\Program Files\Mozilla Firefox\xul.dll+24cb3e3|C:\Program Files\Mozilla Firefox\xul.dll+24cb83d|C:\Program Files\Mozilla Firefox\xul.dll+25121cd|C:\Program Files\Mozilla Firefox\xul.dll+c140a6|C:\Program Files\Mozilla Firefox\xul.dll+c128b8|C:\Program Files\Mozilla Firefox\xul.dll+263307a|C:\Program Files\Mozilla Firefox\xul.dll+2629c0f|C:\Program Files\Mozilla Firefox\xul.dll+26333e6|C:\Program Files\Mozilla Firefox\xul.dll+3844f82|C:\Program Files\Mozilla Firefox\xul.dll+384525d|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+25022da|C:\Program Files\Mozilla Firefox\xul.dll+2509923|C:\Program Files\Mozilla Firefox\xul.dll+fdb273|C:\Program Files\Mozilla Firefox\xul.dll+2e9816|C:\Program Files\Mozilla Firefox\xul.dll+2e2a42|C:\Program Files\Mozilla Firefox\xul.dll+ec13eb|C:\Program Files\Mozilla Firefox\xul.dll+ec0dd4 10341000x80000000000000001032442Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+2512326|C:\Program Files\Mozilla Firefox\xul.dll+24cb3e3|C:\Program Files\Mozilla Firefox\xul.dll+24cb83d|C:\Program Files\Mozilla Firefox\xul.dll+25121cd|C:\Program Files\Mozilla Firefox\xul.dll+c140a6|C:\Program Files\Mozilla Firefox\xul.dll+c128b8|C:\Program Files\Mozilla Firefox\xul.dll+263307a|C:\Program Files\Mozilla Firefox\xul.dll+2629c0f|C:\Program Files\Mozilla Firefox\xul.dll+26333e6|C:\Program Files\Mozilla Firefox\xul.dll+3844f82|C:\Program Files\Mozilla Firefox\xul.dll+384525d|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+38a5434|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+38a13aa|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+25022da 10341000x80000000000000001032441Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+2512326|C:\Program Files\Mozilla Firefox\xul.dll+24cb3e3|C:\Program Files\Mozilla Firefox\xul.dll+24cb83d|C:\Program Files\Mozilla Firefox\xul.dll+25121cd|C:\Program Files\Mozilla Firefox\xul.dll+c140a6|C:\Program Files\Mozilla Firefox\xul.dll+c128b8|C:\Program Files\Mozilla Firefox\xul.dll+263307a|C:\Program Files\Mozilla Firefox\xul.dll+2629c0f|C:\Program Files\Mozilla Firefox\xul.dll+26333e6|C:\Program Files\Mozilla Firefox\xul.dll+3844f82|C:\Program Files\Mozilla Firefox\xul.dll+384525d|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+38a13aa|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+25022da|C:\Program Files\Mozilla Firefox\xul.dll+2509923|C:\Program Files\Mozilla Firefox\xul.dll+fdb273|C:\Program Files\Mozilla Firefox\xul.dll+2e9816 10341000x80000000000000001032440Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+2512326|C:\Program Files\Mozilla Firefox\xul.dll+24cb3e3|C:\Program Files\Mozilla Firefox\xul.dll+24cb83d|C:\Program Files\Mozilla Firefox\xul.dll+25121cd|C:\Program Files\Mozilla Firefox\xul.dll+c140a6|C:\Program Files\Mozilla Firefox\xul.dll+c128b8|C:\Program Files\Mozilla Firefox\xul.dll+263307a|C:\Program Files\Mozilla Firefox\xul.dll+2629c0f|C:\Program Files\Mozilla Firefox\xul.dll+26333e6|C:\Program Files\Mozilla Firefox\xul.dll+3844f82|C:\Program Files\Mozilla Firefox\xul.dll+384525d|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+38a13aa|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+25022da|C:\Program Files\Mozilla Firefox\xul.dll+2509923|C:\Program Files\Mozilla Firefox\xul.dll+fdb273|C:\Program Files\Mozilla Firefox\xul.dll+2e9816 10341000x80000000000000001032439Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+2512326|C:\Program Files\Mozilla Firefox\xul.dll+24cb3e3|C:\Program Files\Mozilla Firefox\xul.dll+24cb83d|C:\Program Files\Mozilla Firefox\xul.dll+25121cd|C:\Program Files\Mozilla Firefox\xul.dll+c140a6|C:\Program Files\Mozilla Firefox\xul.dll+c128b8|C:\Program Files\Mozilla Firefox\xul.dll+263307a|C:\Program Files\Mozilla Firefox\xul.dll+2629c0f|C:\Program Files\Mozilla Firefox\xul.dll+26333e6|C:\Program Files\Mozilla Firefox\xul.dll+3844f82|C:\Program Files\Mozilla Firefox\xul.dll+384525d|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+25022da|C:\Program Files\Mozilla Firefox\xul.dll+2509923|C:\Program Files\Mozilla Firefox\xul.dll+fdb273|C:\Program Files\Mozilla Firefox\xul.dll+2e9816|C:\Program Files\Mozilla Firefox\xul.dll+2e2a42|C:\Program Files\Mozilla Firefox\xul.dll+ec13eb|C:\Program Files\Mozilla Firefox\xul.dll+ec0dd4 10341000x80000000000000001032438Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+2512326|C:\Program Files\Mozilla Firefox\xul.dll+24cb3e3|C:\Program Files\Mozilla Firefox\xul.dll+24cb83d|C:\Program Files\Mozilla Firefox\xul.dll+25121cd|C:\Program Files\Mozilla Firefox\xul.dll+c140a6|C:\Program Files\Mozilla Firefox\xul.dll+c128b8|C:\Program Files\Mozilla Firefox\xul.dll+263307a|C:\Program Files\Mozilla Firefox\xul.dll+2629c0f|C:\Program Files\Mozilla Firefox\xul.dll+26333e6|C:\Program Files\Mozilla Firefox\xul.dll+3844f82|C:\Program Files\Mozilla Firefox\xul.dll+384525d|C:\Program Files\Mozilla Firefox\xul.dll+2503231|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+25022da|C:\Program Files\Mozilla Firefox\xul.dll+2509923|C:\Program Files\Mozilla Firefox\xul.dll+fdb273|C:\Program Files\Mozilla Firefox\xul.dll+2e9816|C:\Program Files\Mozilla Firefox\xul.dll+2e2a42|C:\Program Files\Mozilla Firefox\xul.dll+ec13eb|C:\Program Files\Mozilla Firefox\xul.dll+ec0dd4 10341000x80000000000000001032437Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.591{2E2BE06D-75A9-60FE-D279-00000000E601}53806744C:\Program Files\Mozilla Firefox\firefox.exe{2E2BE06D-75AB-60FE-D379-00000000E601}5904C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1bf761|C:\Program Files\Mozilla Firefox\xul.dll+a2d224|C:\Program Files\Mozilla Firefox\xul.dll+a465a9|C:\Program Files\Mozilla Firefox\xul.dll+a464ca|C:\Program Files\Mozilla Firefox\xul.dll+a44820|C:\Program Files\Mozilla Firefox\xul.dll+a44ac4|C:\Program Files\Mozilla Firefox\xul.dll+b8c461|C:\Program Files\Mozilla Firefox\xul.dll+2ff539|C:\Program Files\Mozilla Firefox\xul.dll+2ff444|C:\Program Files\Mozilla Firefox\xul.dll+2ff22d|C:\Program Files\Mozilla Firefox\xul.dll+2fee34|C:\Program Files\Mozilla Firefox\xul.dll+255b0d3|C:\Program Files\Mozilla Firefox\xul.dll+2564e11|C:\Program Files\Mozilla Firefox\xul.dll+255ae91|C:\Program Files\Mozilla Firefox\xul.dll+255adc2|C:\Program Files\Mozilla Firefox\xul.dll+250618e|C:\Program Files\Mozilla Firefox\xul.dll+25056bb|C:\Program Files\Mozilla Firefox\xul.dll+25032bf|C:\Program Files\Mozilla Firefox\xul.dll+2502a26|C:\Program Files\Mozilla Firefox\xul.dll+25022da|C:\Program Files\Mozilla Firefox\xul.dll+2509923|C:\Program Files\Mozilla Firefox\xul.dll+fdb273 10341000x80000000000000001032436Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.582{2E2BE06D-CA2C-60FA-630B-00000000E601}47283420C:\Windows\Explorer.EXE{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032435Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.581{2E2BE06D-CA2C-60FA-630B-00000000E601}47283420C:\Windows\Explorer.EXE{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032434Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.580{2E2BE06D-CA2C-60FA-630B-00000000E601}47282624C:\Windows\Explorer.EXE{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032433Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.580{2E2BE06D-CA2C-60FA-630B-00000000E601}47282624C:\Windows\Explorer.EXE{2E2BE06D-75A9-60FE-D279-00000000E601}5380C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001032432Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:24.537{2E2BE06D-75A9-60FE-D279-00000000E601}5380\chrome.5380.26.13490868C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001032431Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:24.537{2E2BE06D-75A9-60FE-D279-00000000E601}5380\chrome.5380.25.66106856C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001032430Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:24.537{2E2BE06D-75A9-60FE-D279-00000000E601}5380\chrome.5380.24.70407895C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001032429Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:24.537{2E2BE06D-75A9-60FE-D279-00000000E601}5380\chrome.5380.22.67226667C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001032428Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:24.537{2E2BE06D-75A9-60FE-D279-00000000E601}5380\chrome.5380.23.118248927C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001032427Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:24.537{2E2BE06D-75A9-60FE-D279-00000000E601}5380\chrome.5380.21.79487290C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001032426Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:24.521{2E2BE06D-75A9-60FE-D279-00000000E601}5380\chrome.6660.3.155424008C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001032425Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-CreatePipe2021-07-26 08:43:24.521{2E2BE06D-75AC-60FE-D679-00000000E601}6660\chrome.6660.3.155424008C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001032424Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.521{2E2BE06D-6DD8-60FA-1400-00000000E601}6881608C:\Windows\system32\svchost.exe{2E2BE06D-75AC-60FE-D679-00000000E601}6660C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001032423Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:43:24.521{2E2BE06D-6DD8-60FA-1400-00000000E601}6881608C:\Windows\system32\svchost.exe{2E2BE06D-75AC-60FE-D679-00000000E601}6660C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001032422Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:24.521{2E2BE06D-75A9-60FE-D279-00000000E601}5380\chrome.6660.2.30333741C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001032421Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:24.521{2E2BE06D-75A9-60FE-D279-00000000E601}5380\chrome.6660.1.204053269C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001032420Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-CreatePipe2021-07-26 08:43:24.521{2E2BE06D-75AC-60FE-D679-00000000E601}6660\chrome.6660.2.30333741C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001032419Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-CreatePipe2021-07-26 08:43:24.521{2E2BE06D-75AC-60FE-D679-00000000E601}6660\chrome.6660.1.204053269C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001032418Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-ConnectPipe2021-07-26 08:43:24.521{2E2BE06D-75AC-60FE-D679-00000000E601}6660\chrome.6660.0.178771927C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001032417Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-CreatePipe2021-07-26 08:43:24.521{2E2BE06D-75AC-60FE-D679-00000000E601}6660\chrome.6660.0.178771927C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000