23542300x8000000000000000892851Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:11.556{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F650C9F1231F70BE8791CEFA2B436F1,SHA256=0E66919EE7C766D1AB107F9D0391EA054180AD0B8FA72E2476D6822BBE8D0010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030473Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:11.316{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A87B21BA9B2165A256C86C33D09A4AC,SHA256=AA996B53E6B4AC2D2977DD75501EDA5121BCE31FF112727286F350006533A996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892852Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:12.556{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36093BF94CA9AF28262C78079A3AA20A,SHA256=35A740A1B187C253CFFDAE4ACDDB3D5A9C6B47C5E39666CA99305F00A2C01933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030474Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:12.332{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CB5F49BC71FC0EA6F7EB455BFD4451,SHA256=7A9D23EE6C9FDAFD48CAF55F7A16A48DED8CBAC6860BB8D7B57275ABCE2187C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892857Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:04.241{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52672-false10.0.1.12-8000- 354300x8000000000000000892856Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:04.051{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net61457-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000892855Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:13.853{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12007F9F11F24663F63941F76ED4F9EE,SHA256=B09361B193DC0961B849978F4DB25C6E1099918EF0D082801E4888A71E1F2436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892854Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:13.853{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A19A29D38D91FBA8CB741F7B2D286257,SHA256=C62114B8F473365FCBBB25DE1C0017BD287DD715EB792C3B120225371AD8E94B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892853Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:13.572{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6838A717E8EFD197F4096E56C5F43D1,SHA256=00A5A9CCB0081EEF2D98E9E069415255F8F2CFB6E81CAA96F9C5267C2DD9ED87,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030476Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:13.220{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57566-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030475Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:13.332{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19E54436C7A4C236F8AB8D315B3E4B5,SHA256=5DC6F54FC1A25F788B806C2FF6AFE93160C3F20D78727E64ACF4A553EF9DAADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892858Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:14.588{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5CCC22269D4BD450901CC630586E37,SHA256=B78DEE6DFDD03FD192212976D29F96E5D28498A486C8E58CAAFBEC4DFBA050BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030477Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:14.347{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644573C924FDD3435A548D5D3E813490,SHA256=57B57DB51D3B0F2DC1735B8518CD1F420EC452AB3F0E1B6355AEB8F7D17BAAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892859Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:15.603{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B632D0AEDC03A5A0552E40E5E63655BF,SHA256=8CC945AF67543FCF1DE39CBDFC2BF4CA8DD35B1DCB3E96A1A7567B39860A00C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030478Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:15.347{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FE623CD6D13DA881A03898630E828B,SHA256=4977AD9FE539F32D871A2F21AE198BD56F5FDC5E143DC75C00F10EF0CB7CFBF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892860Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:16.619{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97AD23AF0C849CC5CC66FEBEB30C069,SHA256=1ADFFF03CDBC6A58D6A0B830E9EB109B034ADA146F1203A0A3329D29C4AD6D3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030480Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:16.390{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-33316-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001030479Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:16.347{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99E3222DE8F13D5B337CD33DAE2F28A,SHA256=9EF6B8F27871136D6637F8679202881C8F9E4657BBD9F852020A039A8FA08458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892861Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:17.634{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456BFE68CAFBB0CD14BC1578023EB9C2,SHA256=141B8B8F743D2BB2CFB3B98624D9F88964BE8121A80702F36231723BF1909F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030484Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:17.910{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=989A3679B7EC84513824E22F9DE04751,SHA256=F6D5E79EE8B52E13BB8EEA595DEFC43A1313BF3C205BAC9FC60EED40FFE03EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030483Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:17.613{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE1E1F9310CC8138027E09278ED16DA,SHA256=443C2A0DBE0C625BE7C12DA04A3D9ADB0B22979F066989355A8225A3BDC98A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030482Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:17.613{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8DE7694960DDB5E6B5CDAC8C8AB3191,SHA256=88DB5590A38E74C1C635D7D5427D4F4B20A264A22745D892CFFDF0D1D7CB3C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030481Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:17.347{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723001448A21FC7CBC691510E4F96F7F,SHA256=E9F2C87C24800CA7BF4C2C606AE24CDC19FAF58ED3B3B388A13E86B85A09BBD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892862Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:18.634{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00405EA3CA23D75CF889786809A0B34A,SHA256=5BEF4D93655509E853235172282B15DB9C8FA5DAFDD29A748A738E078883E9A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030486Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:18.329{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57567-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030485Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:18.363{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8DF0C02E89FBC9421346C0E84781A4,SHA256=B37DD6A99EEEB2D3B9573B3547F5ED27271E7B5CFF239D55161C5B93AA95C924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892866Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:19.666{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=868E3104F2196962B72C334D7FE25EF2,SHA256=5F4455E54C665CEE788E73B59BF48636F1C06E50E1858855846DA4976F4EE3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892865Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:19.666{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12007F9F11F24663F63941F76ED4F9EE,SHA256=B09361B193DC0961B849978F4DB25C6E1099918EF0D082801E4888A71E1F2436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892864Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:19.650{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D819B25395492792EEF874AF3CBBE4,SHA256=E950AF9F7BFE5F8341C6CE78967C9195F0D084C1DA8A0E69F70B6CC7B58C673F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030487Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:19.363{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2052FD2E686CA2F082883BCAA613EBB5,SHA256=E63BE9B910006A0E949A9267019C965A159B66AB390EC95465EFEC0ABD95FC05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892863Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:08.927{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.7-45839-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000892868Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:20.666{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C606A6E8DBAE403F912620A947FE233,SHA256=A1AA69A066B1C3D4B03495C489D74450B829F849C9A1B5BE191C0F0A3519EFC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030488Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:20.363{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B7BE732A0CB32D7889FB6F24A6ADF2,SHA256=3B0F018741BEA54A40A8453BD59BD0DB0E6A5E541B611E7E8A7DE17A7EE3E8DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892867Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:10.208{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52673-false10.0.1.12-8000- 23542300x8000000000000000892869Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:21.681{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51138F913C0C4036B834712B8694FBD2,SHA256=A12BE7305AAC1E62B16CDAB54D2EBF99516EA0D1B5553A261D8D0B5FA2E7E066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030489Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:21.378{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1B5D017BE91CDF9E25A501DC127CD7,SHA256=BCD7A621E0EA2F7794EE419D37160D18FBBA22AE7D64747A490D8D82E2B65656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892870Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:22.916{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21390E3FD1F42C16CA83A76E9D2839CD,SHA256=28C86DF131D52375D549390C330FBCB351471F1ADE9C3B5CE84DA975D3782AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030490Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:22.380{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15394ECCA2D497DD00DBDC6D31B97C0E,SHA256=8553AE05E597E73A006C02EA43C84026AAACA8CCA019B3BF45FDD17237551BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030491Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:23.382{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB341071EA47553258307A1046BD42F,SHA256=EC0DD25D5A9DBF235E704DC8871A202B231EA7143F79AFE5597202A58668E538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030492Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:24.385{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4101951834BB31E81594C690F4629BDC,SHA256=80DA94BDD5D18A8142F042C36DF95BDC047D3831103FB38E46DAC41AB9CC4DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892871Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:24.088{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FC7461546AB8B7191E7E918334ACE1,SHA256=B4680D8B857B5E38575C7041E28BD23C4B25AA65563CB01E29FB099573E8F2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030495Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:25.385{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1DFFB9C785460EC9BA0BED5C130BFF,SHA256=61160C80501D44E90285D2DAD65AA4085C62C88CD82F6D6E94FAD1066A5B088E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892873Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:15.582{D94AFF6C-6DD8-60FA-1100-00000000E701}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:1cf1:2a09:f5ff:fef0win-host-702546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000892872Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:25.103{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D043A48A0A5B4C9CBA753165FC19DC,SHA256=2F2F37A6785FA967250943E4547E0306686CBE4191B15C9D2EDB5BA2B627DEA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030494Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:24.177{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57568-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030493Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:25.229{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030496Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:26.385{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3254D6AB1599FE720ED97BBA942D3369,SHA256=C44684D875E68A66B83350A5956273B2FD4E8F6C0CE798CE7E388993517C32EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892875Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:16.114{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52674-false10.0.1.12-8000- 23542300x8000000000000000892874Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:26.119{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC1B5F595758B7EBADA45650EDCAA48,SHA256=F89293B0E0089EF91840606C79097D03DEF9FC8499924165B122CDEAA8D724DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030498Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:27.385{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF881D856C525919DEBA6DE851B2E67,SHA256=107B8CBA5689B9B938BF187C1717F135330C0B57B3038CB5249EBA8196E83D08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892889Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.963{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73CF-60FE-FD78-00000000E701}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892888Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892887Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892886Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892885Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892884Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892883Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892882Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892881Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892880Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892879Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-73CF-60FE-FD78-00000000E701}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892878Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.947{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73CF-60FE-FD78-00000000E701}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892877Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.948{D94AFF6C-73CF-60FE-FD78-00000000E701}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000892876Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.135{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B613BFB0C437DCC6133C1E54F98BDAAF,SHA256=23A356E0132BBA848663CA4952CF5A9E77C50126C98C32DEE2C96865469068BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030497Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:26.352{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57569-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001030499Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:28.401{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59FD17635A1B93D1670888E43A90202,SHA256=4ECC4197FC685A30BB8405E7B7B4652D015238D3AB160BABBD0B190EAE14E116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892906Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.963{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=094ADA860C58B78740B9003778F9F383,SHA256=E2CE59B3718F36338078F99F29355D3E291816BC61A8FD1A2873B595FCA2E672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892905Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.963{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=868E3104F2196962B72C334D7FE25EF2,SHA256=5F4455E54C665CEE788E73B59BF48636F1C06E50E1858855846DA4976F4EE3E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892904Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.634{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73D0-60FE-FE78-00000000E701}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892903Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892902Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892901Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892900Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892899Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892898Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892897Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892896Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892895Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892894Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-73D0-60FE-FE78-00000000E701}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892893Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73D0-60FE-FE78-00000000E701}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892892Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.619{D94AFF6C-73D0-60FE-FE78-00000000E701}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000892891Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.181{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ADA4C86DE5C2A718889A3BAC4B5D7A,SHA256=3D98FB0F7E9EB5EB43F73E4EAEDF00B0546251E31487705AF9D825EE0148F15E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892890Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:28.072{D94AFF6C-73CF-60FE-FD78-00000000E701}31363496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001030500Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:29.417{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB2047E2CFCF23EBC7321C4BAB2CFF5,SHA256=3B4A2964710AD67BB213B64ABAC7C2F4A70B182F9B90C202201EED97887D5980,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892933Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.978{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73D1-60FE-0079-00000000E701}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892932Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892931Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892930Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892929Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892928Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892927Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892926Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892925Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892924Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892923Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-73D1-60FE-0079-00000000E701}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892922Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73D1-60FE-0079-00000000E701}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892921Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.963{D94AFF6C-73D1-60FE-0079-00000000E701}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000892920Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.447{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154E855FB1EE24836B2D99400E50F943,SHA256=75ABD41CFCA420FFB6D23E45D23C2092EC29E410E5D644DFA60C9D50899FCE9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892919Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.306{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73D1-60FE-FF78-00000000E701}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892918Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.306{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892917Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.306{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892916Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892915Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892914Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892913Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892912Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892911Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892910Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892909Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD7-60FA-0500-00000000E701}4161852C:\Windows\system32\csrss.exe{D94AFF6C-73D1-60FE-FF78-00000000E701}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892908Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73D1-60FE-FF78-00000000E701}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892907Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:29.291{D94AFF6C-73D1-60FE-FF78-00000000E701}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030502Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:30.417{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4AAFE45CA537DBCDDDB8F39F85B220,SHA256=3100923FBEB8D8578683DAB9BC6466A964E8E9F208E2476339E41E4D921AB729,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892936Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:21.223{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52675-false10.0.1.12-8000- 23542300x8000000000000000892935Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:30.541{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF62F8FB954F7B491E263CD26072BCC,SHA256=A7EAD608A4FDAF899EFACB402422C6F51F5B7A61F79061689A665D49134EFEE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030501Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:29.274{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57570-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000892934Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:30.338{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=094ADA860C58B78740B9003778F9F383,SHA256=E2CE59B3718F36338078F99F29355D3E291816BC61A8FD1A2873B595FCA2E672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892937Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:31.556{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B22CD47A04F0EA07177A2BCB528860D,SHA256=405F822F14B8503F3A6AD316F85E3EC68871FFAFFB790476FB2F440E86466DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030503Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:31.651{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA609DFAFC65CEC9B4843256ED3D08BA,SHA256=07D91F7384D17D1A706D81E079492B760E7DF06DF3388C2B07EAF6C4ABCB6B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892938Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:32.791{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266526679060FEE9A81526B78A5E7A9C,SHA256=46239B0526717C69FAAA4D95C329509FED287CA8CFD89DB7AA9C8E362EEC7E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030504Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:32.651{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB23E9F1B52B8128A01C15A231B03DC,SHA256=7F1B13B1A17B577D7B37221A5430A11EF19280B4FBD1A3925AB123ABA5461575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892939Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:33.853{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0882CD562BA3DA3BF24FF6B05A23EEAF,SHA256=22ACAE60460E3D7E51647E6F6FDC1CC848ED97AE16CF7EF5434D44320BC0934A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030505Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:33.667{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDCB45970EA7851781ECDEB2D9B425B,SHA256=C5144B623042282FC0847D3183B7AD6FA1F9393F41EA0358CC79F3CE9966A0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892940Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:34.869{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1107C901CA1FF43820CF9ECC3038A520,SHA256=D9B1224E17716604754A6B835E2FFCCD3981DB2668790219EF53E6692A901339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030507Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:34.885{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAE1726E3C1CE9C373F4258AFF514C3,SHA256=DE554FC8D32A66459CFA208345A866626D4B475B7C116A3B48ED98F94811B155,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030506Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:34.352{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57571-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030508Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:35.885{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21388E84B0E7A729DB9CCB5D0DC3466A,SHA256=169445B53E3D17C387D403E83DDCAB1D0DB81E9EDA3F788304D149E7DB200F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892955Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.884{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5304DBAD31AA721CCBB3833A09ABBB,SHA256=A414914AC77743E8F1CB64901105CF35E45B727DCB09B0CA7675D30DB3F839CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892954Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.713{D94AFF6C-73D7-60FE-0179-00000000E701}29883032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892953Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.588{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73D7-60FE-0179-00000000E701}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892952Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892951Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892950Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892949Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892948Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892947Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892946Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892945Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892944Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892943Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-73D7-60FE-0179-00000000E701}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892942Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.572{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73D7-60FE-0179-00000000E701}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892941Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:35.573{D94AFF6C-73D7-60FE-0179-00000000E701}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030509Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:36.932{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAFCD43502E323349CCBC767EBE12BF,SHA256=EDC8FCB4A4669AE284E795C1EB8B350AF4E63A89650477E1D4873C6742B10AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892958Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:36.885{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FEF656A11F7E0A4AD00BA70E58EDF82,SHA256=8672076339058820E36F8446EE32C22DD14CE2034F5A2EB9FB162B9CB1D8B7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892957Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:36.588{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD66CA5F5B77050678D1CD24B0BA5592,SHA256=DCEAB7EA34B43A7C22C4238ACBD56F9C49207FCF5B0638C7EBFD1F7E4EDAE6BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892956Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:36.588{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=974460A0E028FE1B9C06A8ED1057058D,SHA256=F5F2CCD948728962AB80DED9ADCD8E012E297427A3B3B0B35901B9361A1C48B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030510Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:37.963{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE48B87FF65ED23DBED0A7102FE3CC3,SHA256=33BA22340E1C962C87B2C11982543ADE0C218C96A0EC07ED592002806724BAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892960Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:37.900{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B1E04AC1F81872C8AF2007C12705B7,SHA256=882AEDDC13B22DDA8CA9ED85097C311AC8C959890FC5B89B0B62C91595B5BCF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892959Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:27.098{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52676-false10.0.1.12-8000- 23542300x8000000000000000892961Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:38.916{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA0B798058D8F1208B793981705195A,SHA256=6ADBE20F91D127314123BF57D38B4734E5D42E24218C5D818A32395CDF961E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892976Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.931{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511BF7853820A728C57C0175A4652387,SHA256=243E466CAB38842C81291B2048C713B70081F9D5FEE46F18BBD7BBCF01BC0ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030511Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:39.026{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A08A1DE5FEFB1B374DE7DA7402F2FBB,SHA256=1158889BC4DB978C92C249E00D5DD2AF6B11FBE547AE8D6A7A67A3895E6AA530,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892975Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.619{D94AFF6C-73DB-60FE-0279-00000000E701}22841536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892974Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.494{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73DB-60FE-0279-00000000E701}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892973Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892972Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892971Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892970Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892969Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892968Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892967Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892966Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892965Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892964Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-73DB-60FE-0279-00000000E701}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892963Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.478{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73DB-60FE-0279-00000000E701}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892962Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:39.479{D94AFF6C-73DB-60FE-0279-00000000E701}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000892992Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.931{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9711E95F2FA6250DB81621C3FC313FF2,SHA256=500C59FB476C0D3E3F429C615F763F7948AA847EDDE687F79250B5DC1A6FBEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030512Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:40.260{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15BD39F766A4534D52F082A8223D214,SHA256=39D2CB28D70205958CDE290E1984192CD6AD62629DAFA3FD1CF801186B38C797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892991Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.510{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD66CA5F5B77050678D1CD24B0BA5592,SHA256=DCEAB7EA34B43A7C22C4238ACBD56F9C49207FCF5B0638C7EBFD1F7E4EDAE6BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000892990Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.275{D94AFF6C-73DC-60FE-0379-00000000E701}32043704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892989Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.166{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-73DC-60FE-0379-00000000E701}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892988Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892987Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892986Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892985Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892984Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892983Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892982Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892981Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892980Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892979Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-73DC-60FE-0379-00000000E701}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000892978Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.150{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-73DC-60FE-0379-00000000E701}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000892977Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:40.151{D94AFF6C-73DC-60FE-0379-00000000E701}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000892993Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:41.947{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B7D78F268BE87174977B62F0803CB3,SHA256=CDF5B9C7E287B89D893690266C550CA858CA707D898505AA75995ACAE63F9A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030514Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:41.277{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F61940CA87C1A13FD74BD641C4B484,SHA256=452CA37A46E71BD0F84373FDF8FAEA1581BE31C59F9E9CDCCF52CE835B89A082,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030513Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:40.211{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57572-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000892995Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:42.963{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60F7487E88F06FFEC04282F8785C601,SHA256=63A89DC0A55F7B6F9E73CD1787C0B72FBDDCAD7E9D53EBF6DC897065CAE20D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030515Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:42.292{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EED7BB30AC95E83C1007AFD7A651CE4,SHA256=D3AF81212251590756AF442A32DF437C559178D5260895C79BD29F0D3F66646F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892994Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:32.238{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52677-false10.0.1.12-8000- 23542300x8000000000000000892996Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:43.978{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AF2CEE989249B99E17413A8C2637D3,SHA256=84199958E4CB0374D001721519C36A067F559138767CFADCA15F74A33AD08F85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030521Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030520Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030519Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-73DF-60FE-9479-00000000E601}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030518Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73DF-60FE-9479-00000000E601}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030517Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.980{2E2BE06D-73DF-60FE-9479-00000000E601}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030516Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.323{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AC994828D0BC1E4B21CE6A9BFE7E26,SHA256=B411E396426BD7916FD71F862D8C1E74EC99C638529934356D925F16D8FDA5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000892999Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:44.994{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6B54C418F756DED6519EE000A760B7,SHA256=8E8EFFC189AFAFDAA69FD441F040A79884BF876393DD507F5878AFF5C58061DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030536Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.979{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C45F8D529E980BDE001569E2BF64A9D,SHA256=80244AB02DA148C51FC8979A7E43E9CC7B02A8E71AD85A8264B3FC8F3358E74A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030535Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.979{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBE1E1F9310CC8138027E09278ED16DA,SHA256=443C2A0DBE0C625BE7C12DA04A3D9ADB0B22979F066989355A8225A3BDC98A8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030534Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73E0-60FE-9579-00000000E601}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030533Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030532Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030531Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030530Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030529Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-73E0-60FE-9579-00000000E601}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030528Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.682{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73E0-60FE-9579-00000000E601}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030527Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.667{2E2BE06D-73E0-60FE-9579-00000000E601}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030526Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.323{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AAA60FB6F56ADFBAEB0BC095A2C4C4,SHA256=838096A71F2721F479519987DDCEC78A10C030761DA8B008477250E7B9930F30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000892998Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:34.880{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.227-59352-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000892997Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:44.181{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C54D9BA0485ACFA41E00B64FBD52671C,SHA256=19333A51CF793E45BACF254A23D4F0E69B5A360C1706ED5DBCC3ADD8652982FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030525Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:44.245{2E2BE06D-73DF-60FE-9479-00000000E601}42922980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030524Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73DF-60FE-9479-00000000E601}4292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030523Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030522Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:43.995{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030546Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.635{2E2BE06D-73E1-60FE-9679-00000000E601}5780760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030545Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73E1-60FE-9679-00000000E601}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030544Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030543Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030542Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030541Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030540Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-73E1-60FE-9679-00000000E601}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030539Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.370{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73E1-60FE-9679-00000000E601}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030538Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.355{2E2BE06D-73E1-60FE-9679-00000000E601}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030537Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.323{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42DD3077039C3210A4578679A8403E6,SHA256=7D75780C7FA03B0FB24814CA182342C1214980CCAE622F02B7295F54A7CD2DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893000Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:45.463{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5C4F73CCF2CB899FC81F6EB0F7548902,SHA256=AC45814006598B6BFE030B0F290A31B91ECC8C71E81D00DA59FAB56475352D23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030566Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73E2-60FE-9879-00000000E601}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030565Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030564Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030563Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030562Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030561Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-73E2-60FE-9879-00000000E601}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030560Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.620{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73E2-60FE-9879-00000000E601}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030559Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.606{2E2BE06D-73E2-60FE-9879-00000000E601}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030558Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.401{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69E4C54627288315A7EAF22FEED8B88,SHA256=D796169DC1326873DA197408BF0980EEA543D3DA5F878D8E2CDDE16FFB9C56D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030557Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.401{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C45F8D529E980BDE001569E2BF64A9D,SHA256=80244AB02DA148C51FC8979A7E43E9CC7B02A8E71AD85A8264B3FC8F3358E74A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893001Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:46.010{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8805E6985B22A1324E53FC6F1DBB220,SHA256=379346F194DC383753FE7261941DCBAAB80AC949612D4003C7870F0C828D9B7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030556Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.245{2E2BE06D-73E2-60FE-9779-00000000E601}13405624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001030555Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:45.321{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57573-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001030554Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73E2-60FE-9779-00000000E601}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030553Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030552Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030551Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-73E2-60FE-9779-00000000E601}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030550Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030549Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030548Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.057{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73E2-60FE-9779-00000000E601}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030547Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:46.042{2E2BE06D-73E2-60FE-9779-00000000E601}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030577Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.604{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FC266995BC840832C5EDA38EE995C35,SHA256=16F59E2FF049C174A6B38A35D57C2D2FDA2F60F50B65F777CF11F4D60036EE11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030576Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.573{2E2BE06D-73E3-60FE-9979-00000000E601}20205640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001030575Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.510{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F205438A2E36D676A29AB6B499A234D,SHA256=F3720709C4CB43D989A6E44E8F7559B9AC3563E60EF870E5F664E6EDFB9FD50D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893003Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:38.129{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52678-false10.0.1.12-8000- 23542300x8000000000000000893002Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:47.025{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C5F2F5CA60D0E7C1037CE088872728,SHA256=79CAA50304A3C6004174E897948E8519A5FA23BC85D9DB7EEC1B8C58C991FD57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030574Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73E3-60FE-9979-00000000E601}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030573Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030572Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030571Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030570Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030569Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-73E3-60FE-9979-00000000E601}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030568Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.307{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73E3-60FE-9979-00000000E601}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030567Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:47.292{2E2BE06D-73E3-60FE-9979-00000000E601}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030578Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:48.620{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9BBC6FF5BEF55C1C30A97197F4CC75,SHA256=F5E1B8B229ABD6152B78F264CA1A8D649C50EB0FAEAED99BAE0D79317342DD17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893004Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:48.041{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF80C10EE196AB80411F975A3590707,SHA256=97C101F15496E6BF18A72ACDDD270C355C223D3AC46251C3200D531EDCAD113F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030579Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:49.667{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BE94E3BF6DBA031873825AABB165AE,SHA256=D4E997CB3036165BEB4AD57B80C167D6E82E0E0B8073AE09E4C56D75923AC847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893005Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:49.056{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4714FDF6CD39807FA4FC432A730E8320,SHA256=FBD48EA9623027661E8A43546995FDCE08F2A77C7758E6E3E6BEEAD09B0930A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030581Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:50.713{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FCF837D9BE2C651812F6F5A3686E6F9,SHA256=AD533203B9FFDC488F03681BBF35A5FB806C5D882542F0B27122B9957BE19BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893007Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:50.416{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893006Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:50.072{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CEBD9FEAF1B3017119AF044409B100,SHA256=583119F98E002E1396F74EBF49A305262329CFCC0D4A7E59986456B8732F5920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030580Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:50.604{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FACBE9A9FAD0FF4AE8740C76EF9FE7B,SHA256=D412EE482E6957EC3EBD7C60F85D699D10A3B0EE425DDD73C3A8822861515AF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030593Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.839{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-73E7-60FE-9A79-00000000E601}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030592Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.823{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030591Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.823{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030590Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.823{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030589Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.823{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030588Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.823{2E2BE06D-6DD6-60FA-0500-00000000E601}416420C:\Windows\system32\csrss.exe{2E2BE06D-73E7-60FE-9A79-00000000E601}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030587Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.823{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-73E7-60FE-9A79-00000000E601}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030586Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.808{2E2BE06D-73E7-60FE-9A79-00000000E601}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030585Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.745{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C976D204E9A2CC7E960B7F5A5A608FDB,SHA256=F86C9DC35299247A62BD61C2344408CEA6B9C13B04E5272AD0C0F978CA76F10D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893009Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:42.410{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52679-false10.0.1.12-8089- 23542300x8000000000000000893008Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:51.088{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB80CEE96FD6F3406FB5B00F757D2BC,SHA256=AA387BC7ED2AC442C1391FB8FEDA33E26ADE6627F83C0FAAAB692E7534FCE863,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030584Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:51.195{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57575-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001030583Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:50.743{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57574-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001030582Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:50.743{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57574-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001030595Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:52.823{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=930FB24CC7F4F441F1315AF7FCADA3C4,SHA256=A7F2AD5596D9A841E130041A46824F31F65D38B7A2A22BB7CBBC46F41568FD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030594Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:52.745{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C931FED91435A93430190ED29608F4,SHA256=2C64F82C3A66F4F5504847ED902E747A1E53F9EE6B30E8C9E79AF13A7AF436BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893010Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:52.103{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC0D7C11E50F289A64E06FA1C4FD57D,SHA256=580C50058D0980B59DCBE383FA8F8F95B6EFC460280C0EE6CFA81C7DD517B402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030596Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:53.760{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470F4B883D96864C77021FBE357D649E,SHA256=42D23575AF597D2BB0F1246C25B4EB4E85037E9D565FDAEF86F858793FDC4C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893011Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:53.119{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CBD4251AD0BD86D9C442E2588B2B57C,SHA256=F72DECA87533402D97E6BD5B22AA917DC171F07002E491CB5AA8BABDFB7DA4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030599Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:54.807{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628687E5CFB06AEBBF2E1EBE1CED6F27,SHA256=90528D16F952E7C4B8942E6B0C2020D2B453EA724D7620577C1C78B7F3168EF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030598Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:53.893{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.235unn-212-102-34-235.datapacket.com3822-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001030597Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:54.166{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F88FF3C063497B9DBB6DDC5EEBB6B64,SHA256=373DDE460A28D43B25977A45D6D5BE6EDD9086CE4BF3C13E53ADB29BD7B07F29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893013Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:44.035{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52680-false10.0.1.12-8000- 23542300x8000000000000000893012Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:54.134{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380C0CCC33A0BEC1D353D7DB52E8239F,SHA256=40CA6ECCAD419689AE9714F663801E4F5D50AFFA1242BAAC326DBEBC7DFF32AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030602Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:55.807{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAB51B2726C3794768ED53069C8C48E,SHA256=E8CA670FF37FE33676593BD09AC9CABA9D9B9BF05140AB29E58CAD5C526E21FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893014Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:55.136{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B8C35DE4DE2FF08C7DD72B1DD94268,SHA256=2B7B8193CDEB7BEBBE29DD932BE772BF8D5C66192932C1451D9E5BFA5A212678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030601Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:55.510{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35F2676CA310EA41EA0512DD6E8C3B32,SHA256=67A0750563185273B49DD7955A7A9B194721F285987626EABF8755D939B4AF14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030600Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:55.070{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.69unn-212-102-35-69.cdn77.com42719-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001030604Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:56.807{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAF1700535ACF19626F13781C73172D,SHA256=A896AF039AD233B0A1678069EECC61CB65A3C194C5DC0AB777EBF80DCA40103D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893015Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:56.137{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A5B24FAE91702C9F4A519CA8F522A8,SHA256=D3F25DA1122769491C30AE7DFB16D4549D50176C6A1C95A80E1C145CE8D7E2F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030603Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:56.321{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57576-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030605Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:57.807{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6064729D8FFFC3846ACC30B010A9709,SHA256=69B07C7A20DB9C7174401EAC61355150229B533F857816A3BBA3A02663861792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893016Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:57.138{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C841ABAD90615B3E13F4A8529FEDE140,SHA256=FD98CF8081D11E6E87A866961934061B080E319D067101A263D9A5ADDD01A953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030606Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:58.823{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22079D7A7893A3C1DF557E6ABDA2E177,SHA256=58EC2FB3FECD53D9A2C542E3BCFB083B354CAF4B722B562775641732B8CF5CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893017Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:58.154{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89964756C6729C06C9DF09B195B77879,SHA256=1C9ADB4D71DDAE70BB716A4882AD8CE6139B4E6F81D36FC6B7FD96D8E90DBC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030607Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:35:59.854{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3995174AE308D31E51F4CF3CFC7311EF,SHA256=3E41D9DEF1627AF8D655CF7AE923B7AE78C5844157D9AA46A0F88E54EA827938,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893022Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:49.163{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52681-false10.0.1.12-8000- 354300x8000000000000000893021Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:48.951{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net60501-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893020Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:59.201{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5855C4014424F4F68B158AFA8AF1FF76,SHA256=8CDE7E3746D6D6B55FD23279FC86E57C9F0C449A721781014832ED5D7019D713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893019Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:59.201{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DD24ACD6EFB1A83EDC1D962254EA3E7,SHA256=A8FDEC2C6A746B52D1B7475E2506DBA7F62F908575C687CE44A736C61CA92595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893018Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:59.169{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8DADB56D7AED613E3C79B9B04DBDC6,SHA256=19F8922A1C7F33B3DAD5B2D2E685110AC46AE7835857EEFA8ABF903A39E3C619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030608Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:00.885{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC52692630589156B739921F34AF1D5,SHA256=06D034A3C3811BF05FED02A84CC6D07877EECFBDC41AD0ACEC925B032EDDE53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893023Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:00.185{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA98B6F338178B554AC03DD4DD381763,SHA256=D441D0A18BB63A2EBC0114B12650791846177FC399319221E55C70B45BC65166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030609Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:01.995{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9052C08546AFC5B10E5633DB1F15F426,SHA256=9270A60E971C14D774BF1DDA4C63A3F9309B69581CEA0CF53E750D3C0E1E2161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893025Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:01.638{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5855C4014424F4F68B158AFA8AF1FF76,SHA256=8CDE7E3746D6D6B55FD23279FC86E57C9F0C449A721781014832ED5D7019D713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893024Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:01.201{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7B539C35279C27A49C3C8B2422943C,SHA256=BA215F14894B4E50ECBD23C47AD55D016AEB4310B09A8DAC098791A8153F062C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030611Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:02.995{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEEA2069EF3C06EBFEA85901615F524,SHA256=CA0B416C411A3F1414D31492C0A69D73ADB70CAF91C047F5AA24602761F6B208,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893027Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:52.573{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse217.160.191.146-56841-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893026Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:02.216{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048162FB97C4C6BBA572769EA0AE7E26,SHA256=B69B831AB6F9FBB8FAD644FF4D896095D0920AFF0BE87AD6BDEA0AE7CE01043D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030610Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:02.180{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57577-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000893029Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:53.843{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse49.238.204.234-60674-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893028Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:03.232{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866133E4E2FBFAFE8247F76999EC3ED9,SHA256=76EFC190FCB09D56EB70F426FEC63846A20975666D2C092F27233F93F058C02C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893032Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:55.053{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52682-false10.0.1.12-8000- 23542300x8000000000000000893031Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:04.419{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=198F8AE1F4182BE2AF0B43D94E163E6C,SHA256=8DB456EF07DBA119F9DF3783BE305EC6CC201ED8B6E75C3FC93B554877901B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893030Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:04.232{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EB82270234D24C1823077BA5CDA26C,SHA256=687793143AD03D2D5865D7A8F03FA913679D370B27F7967F031347CEEDC448B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030612Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:04.026{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E64F7B9944FAEDCD4F2A72808BFBDF7,SHA256=9E80BFD20086D3A88B9072CB74969EB8C553640BA635BDA51E8AAF2C01DE76E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893033Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:05.248{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45664928533A1C9660538E3E33617A5E,SHA256=06222D827B92490D0E04F378DF8BE0E083626B09A2A0C0A4ED0D7EBD133C4C1A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001030616Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:05.635{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x80000000000000001030615Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:05.635{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\FF0B1A08-CD41-4F90-8CA9-0CD1036C849E\Config SourceDWORD (0x00000001) 13241300x80000000000000001030614Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:05.635{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\FF0B1A08-CD41-4F90-8CA9-0CD1036C849E\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_FF0B1A08-CD41-4F90-8CA9-0CD1036C849E.XML 23542300x80000000000000001030613Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:05.182{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A85370B35B32B490F7C9E86220F434,SHA256=69A192F5206F68701760EF4F8B529F52749728C6AD11A975F311561F3F8CD11E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893034Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:06.263{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B539A106366F5B90174102F4F487EACD,SHA256=B6E357074EB76AFC011EBCB4A10F483989DCD29B29A73A2F7C628B11AF8D11B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030625Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.789{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57580-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001030624Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.789{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57580-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001030623Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.781{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57579-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001030622Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.781{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57579-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001030621Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.760{2E2BE06D-6DD8-60FA-0D00-00000000E601}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57578-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 354300x80000000000000001030620Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.760{2E2BE06D-6DE8-60FA-2500-00000000E601}2756C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57578-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local135epmap 23542300x80000000000000001030619Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.635{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCFC2A472B89EAD264CB314473E6023D,SHA256=B155FB98A363EE6454843CDC6DF5A62D3E327A29DF1410DA311F542C5FE32401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030618Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.635{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6909037CA2316261CA8E3F4C4F6DCDA9,SHA256=190C225D316E8BDB31F92E1ACCB46EEB31A5D0CE4838722B1A8598EF36718D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030617Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:06.198{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF525BA86A94FC1CDA2A443F042D42B,SHA256=A2BDDD479D5CD5E61D74BCB429CE5E7304477E8C3C504DD6468B6D4B986236FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893038Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:57.885{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.20-37836-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 13241300x8000000000000000893037Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:07.436{D94AFF6C-6DD8-60FA-1500-00000000E701}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d781f9-0x4755e635) 23542300x8000000000000000893036Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:07.264{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7591F78B89E9C34B73B292B40BCAACB1,SHA256=6ECF75929A0B58E248963C60D6556ED0A0FEE8072A5D41A25B662CD95DA2C6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030626Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:07.213{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E1FAA6603AA8D5B05DB702E6F7CC6A,SHA256=12BD55558E51DB82BC0714FDACA8B0CD8AB1136FBFC3D540EA1A063B8AF213F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893035Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:07.140{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65626D535D6DCB7F9784742BF783396C,SHA256=CFD865B96F9EECA1AF327B30933D086A991060B97D20CBD1C6381E8E2620BC75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893039Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:08.280{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3971F3C2ADFE9F4DA8CEF53B256ED0,SHA256=1BF26B6CD466629B329F56A71C07FB2B7E7DF3BD0DD95EBD8459863FBA8F00B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030628Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:08.276{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021433B1B7338DB1BE566B2075876EA3,SHA256=77DD7998F8077CA98936739948947D2595901C72040BD3DE1BA2CCDCD6C21B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030627Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:07.258{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57581-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030629Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:09.276{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F6D1FE42485C08903516A92786A5E5,SHA256=C40F095797121F5AD857136F9E877A9503B49AE26D9241B088A24B659D5FCAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893041Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:09.296{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9208AFA015F4B995AC10DD01BDE523E,SHA256=E22F28EC0DD219100045C85EA71F06400CA9A65F8F2B34D52A071D1F97F6DE0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893040Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:35:59.429{D94AFF6C-6DD8-60FA-1500-00000000E701}1052C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000893043Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:10.296{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C612076D60E0AE604B28D5C5A253910D,SHA256=12B84D4B2A5D379D3AE05D0CF3DC3418AD769AD52974289F913667F7E399D623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030630Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:10.276{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8463BAC3B41E904CA827F533F4335204,SHA256=E4974FDFB49C650B4FC461238A15D7F6968E16E0AA6377995439AEF6F4D238BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893042Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:00.133{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52683-false10.0.1.12-8000- 23542300x8000000000000000893044Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:11.311{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F647EAA6797CA1D3450115EABFB2AAEB,SHA256=5610A60834CC68582312A73C8BB2D3DABF3C73D7BA2501D01969F4389B4EBF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030631Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:11.276{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F737BF19B3A416CD58C1A49EF54B76,SHA256=5A5FABE78D5329A31DF746139D1D266A7019A43F513C8ADFBDF238C8C6712DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893045Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:12.327{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2D80E54B30F060ED7AA30A187B47B9,SHA256=7D45964EF0106A4E84496DF8A41B07AA51F513124C6E513895515CE58820469F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030633Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:12.383{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57582-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030632Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:12.276{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C43F994CF496F1D46C24F36C662CFD,SHA256=68BB4A0F2D4F15F421292529ED83E5185C29774AF33AF3F77134F1142398A1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030634Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:13.340{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D17CC6C0B851AF08D406E03D595C56,SHA256=95A801727A590D6E3031B6309E4F5E001A5831AED251E8A7CC3A873A60D19840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893046Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:13.343{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B081C776FAE8F64853B8EDAF9B28AE5A,SHA256=5939F16691F385EFFE8F89EA8854CEE305562FF942ACDA1B871C98F8D9532B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030635Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:14.340{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933E101546C57363263F0DA001079699,SHA256=AFFC3A83903D86DC84453E407BC5A43BAC5EBA44936E44CE26179B8DE3F97E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893047Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:14.343{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A0F3A32069E9BC1E97A2DDDE0109A1,SHA256=3083BF3972A3E1C9D5339F969E66C9D3C1573B470573C3E7FBED8A670F1B68D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893049Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:05.226{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52684-false10.0.1.12-8000- 23542300x8000000000000000893048Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:15.358{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F2DFF68DF4EF942705B53AC9593E59,SHA256=98EB3D62E213A7D40A76212F71F41F3DC16A9738A3AA85495588500F9DF2E199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030636Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:15.387{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F025DBD700A302AD6DDC78E88E4D36F9,SHA256=B57158434E7A059F3E8C1D1C110D083C74699256C2FECC208E5596FFF8B39AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893050Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:16.374{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C438AE151F22C6B660D8A7AAD0AE36,SHA256=948685C59D79CB67C129D0758E41D9DA6D8E36691EF39C89D0FC0292480C2473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030637Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:16.387{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EE48C2119CA6FB283A41D593A24E76,SHA256=8745279B310684924BAE9A761DD85C07D95D7EC08EC63B330940BF4FC7ACE516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030639Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:17.918{2E2BE06D-6DD8-60FA-1200-00000000E601}780NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9F0D2F328F79EF02F2672CCE7FCB64C5,SHA256=8E97DAB565B274A04BA294435D23A058FA513C5F8D3F9350FF75204FD2CD2331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030638Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:17.465{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99315EEA201EB8B196F8CC0677C4CDD4,SHA256=23786F4BC6CADDB459D7C5715121AD675EC1324957498BFE13210F2101B3A199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893051Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:17.389{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730D412F967235C3A0E52AB1D8ADE94B,SHA256=C9B726F8293F25E5126622696426178DA9DF832AADB8B2C60BDAA94FA8CC70AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030641Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:18.307{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57583-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030640Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:18.480{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA89508D5B9E01BBB2B23E0183B68D5,SHA256=BACEFA138A94B95524836F79F0E9DDD4EBDB3A9AED969E2A6C4E3B292551EACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893052Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:18.389{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0620AC1B87C7C60ECB741C2961F96D71,SHA256=5C7F6F3AB555B4335C2B2D64178508544D655853BA1C52955707B39130D00EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030642Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:19.512{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F9145E59FD659E4E4EE18F3466247F,SHA256=C1FCE72F09CE066207C44FF5C33F4A4C5BEBDD39FE60935A8504911B2DC83B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893053Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:19.405{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4857A3824217FB6D784D3303EBD6AE1,SHA256=71E3B637358EAD661C63198F2637D85D77AFEA129C8D8F0CD491CB699E8F2232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893054Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:20.405{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22EA3B99B1DBE48C6DA6FD46F1E69AD,SHA256=88AA0CCCBC3CE9598C4BE7A5E96061B75F350167662A09E469BDFD67A01E3476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030643Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:20.527{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F27CCA19CA9C6D423970414C63449F,SHA256=156C9DC5BA8A7291EFCBFCDF03C4A56CD796ABD96AE5B170190144A08E90946A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030644Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:21.527{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C479C28F1E2BBC8BC8DA87C785331E,SHA256=FD659BF9329119DA3AABADAC7A66830D3F3BCB47B6CED4BEA55D1E16BAF87B1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893056Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:11.133{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52685-false10.0.1.12-8000- 23542300x8000000000000000893055Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:21.421{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878C86D998932A0B6CD7D62925691915,SHA256=B529B90B0FC09F5A65BE6D8459C68FC5BD0AE4F2FBC295040421590408EA9C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030645Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:22.668{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2C21F45F01DE7C85FDE6A7CC077493,SHA256=A2B5F6269CD34AE715C314655C96012009A0AA0C64A4934465BAC517126E4871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893057Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:22.436{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CAF14ADBDE78DC2FE31E5530071510,SHA256=97A01B034D420078540B5CC2F2267DBF2DBD32CDB9520FA6C3AADE5413129A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030646Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:23.670{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF2C6235F29EC5AC409EB00C7A4A893,SHA256=AC89F185DB351058DFDC86C48D3AB4FF0757CA0048DABBDC08310C90E9F63AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893058Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:23.452{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA975825BA50AC4424BAA13F2A7B9117,SHA256=4C946CE04D7D291C20F48FA3C2A8E12E489A554E29E11F74BE5E6604EBA1632B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893059Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:24.468{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4AB324A75C3A3004C9B2A713D7EE39,SHA256=085FE50E8BDF42763FF00CC5D3ED5B89963EABFEDA3E296B4F48F5EF6ABE1888,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030648Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:24.213{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57584-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030647Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:24.673{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7EB4133F7C14FF3A5491EFBA235178,SHA256=0E76D5ACD8D69ACEE15718547362C2DDD769DA8CEB653A61DB82444CF5A69AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030650Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:25.673{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10367A1BE2730DA93A7AC82C92456F3C,SHA256=9A9F0F919BB8D19B5087F209A82C5CEB73925260BDC13A66D07127846AC5473E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893060Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:25.483{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5FC85FC8963716185AA11D3B4C7DA1,SHA256=5D536F3715DBBD8DA55F61799B4D2FA0B5BBAF80A14C3F28E5C09386CB4CD2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030649Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:25.251{2E2BE06D-6DE8-60FA-2700-00000000E601}2892NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030652Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:26.375{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57585-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001030651Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:26.673{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E0FB8500BD5CFD3F6EFEF0D3144D64,SHA256=6C55A509B242F9A87364FF02C3BEE1884BA7FC66524F6693511A4EC8F0EC9FF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893062Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:16.226{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52686-false10.0.1.12-8000- 23542300x8000000000000000893061Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:26.499{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3638D637F0A02CB55314CC54034D05E0,SHA256=6CA3E937E73F2380947B6D56DDD57FCCE4C812F7DCE72ADB459FDDB8444851FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030653Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:27.673{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE38654BB563C1DCC14D63AF69AAE99,SHA256=D6726B6457CE34F5B768E48A850F3C61EA38BCE05BACCE651ED6D49FBBAE284A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893086Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.967{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-740B-60FE-0479-00000000E701}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893085Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893084Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893083Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893082Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893081Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893080Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893079Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893078Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893077Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893076Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-740B-60FE-0479-00000000E701}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893075Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.952{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-740B-60FE-0479-00000000E701}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893074Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.953{D94AFF6C-740B-60FE-0479-00000000E701}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893073Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:27.514{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E5A00305632A9AD2EC7D04A3EE8B870,SHA256=1FCAD186F497BCD66C3CAF26AB59D4E36E06855A4959C9A60E951255D982D438,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000893072Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000893071Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb82361) 13241300x8000000000000000893070Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781f0-0xef7dd904) 13241300x8000000000000000893069Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781f9-0x51424104) 13241300x8000000000000000893068Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78201-0xb306a904) 13241300x8000000000000000893067Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000893066Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb82361) 13241300x8000000000000000893065Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781f0-0xef7dd904) 13241300x8000000000000000893064Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781f9-0x51424104) 13241300x8000000000000000893063Microsoft-Windows-Sysmon/Operationalwin-host-702-SetValue2021-07-26 08:36:27.202{D94AFF6C-6DD8-60FA-0B00-00000000E701}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78201-0xb306a904) 23542300x80000000000000001030654Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:28.673{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF7C35B4BC7608EAEF7E5676CDC6589,SHA256=CBADCD8D5A023F9A009410C5669774642E0CF7F293EA512C6003E3151236B903,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893103Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:19.640{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.94.89smtp2.groupcontact.net52887-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x8000000000000000893102Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.983{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E118518F6B01313DC9EFC68BF6F1A20,SHA256=B9B2B455ADC46A15B303B7ED5ED331AA61E9C9DA055F319A8293FC19D84175D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893101Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.983{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B16E6B0483B6256380B6368A70DECBB2,SHA256=7519E44076BC4994CC75D01A66983031510CBD5BE8B29D5FFF5DB6AAC0C0693C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893100Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.639{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-740C-60FE-0579-00000000E701}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893099Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893098Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893097Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893096Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893095Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893094Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893093Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893092Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893091Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893090Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-740C-60FE-0579-00000000E701}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893089Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-740C-60FE-0579-00000000E701}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893088Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.624{D94AFF6C-740C-60FE-0579-00000000E701}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893087Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.514{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA89B18E630831047853D3CE6E3F01A,SHA256=620040B108011DEE18CC180EC656AC5244ED470AA4B75B1F0A664D08431E3C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030655Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:29.689{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C103DB3F1BD0FE5A88F74B5E0B2A162E,SHA256=D057C49D8BD7236F0D7B515777AC8529F3F0236D4E5FA74C0F5FC7AF6A880CD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893130Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.983{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-740D-60FE-0779-00000000E701}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893129Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893128Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893127Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893126Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893125Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893124Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893123Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893122Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893121Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893120Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-740D-60FE-0779-00000000E701}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893119Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.967{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-740D-60FE-0779-00000000E701}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893118Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.968{D94AFF6C-740D-60FE-0779-00000000E701}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893117Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.639{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C40C38E272FA91AEC4E79BBBA12F567,SHA256=8C584D1CD1291F9A5ADB20E9A133DB27D0239D39626D6A8DE402E1E902C339E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893116Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.311{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-740D-60FE-0679-00000000E701}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893115Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893114Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893113Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893112Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893111Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893110Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893109Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893108Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893107Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893106Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD7-60FA-0500-00000000E701}416532C:\Windows\system32\csrss.exe{D94AFF6C-740D-60FE-0679-00000000E701}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893105Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-740D-60FE-0679-00000000E701}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893104Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:29.296{D94AFF6C-740D-60FE-0679-00000000E701}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030657Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:30.689{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED04FACD9409C86057DF6669C3D761D5,SHA256=B8A0F424E1CAA31F4DDC34C071621336BFCC4BA239E509C54D8600C5896E3B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893133Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:30.858{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAF8D3170DAC83F3F395674E45AEA28,SHA256=3CAFA63B65E0E7E75212AFE3B33142E90AB2D457881309F6606A6DE04AB73110,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030656Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:29.281{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57586-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000893132Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:30.358{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E118518F6B01313DC9EFC68BF6F1A20,SHA256=B9B2B455ADC46A15B303B7ED5ED331AA61E9C9DA055F319A8293FC19D84175D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893131Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:30.092{D94AFF6C-740D-60FE-0779-00000000E701}40802604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001030658Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:31.689{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F492666769DD56B710208FBE3BFEA7D0,SHA256=E5D9F4780BE4F3A7EBB4186D462F7D57DD74412B323F31DC52F0DC5EF1298C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893134Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:31.874{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D260A92815ECEC31621E2401B3809D,SHA256=C8394D2C4722B1B6D8F004E6D38615D1F3368F1DD1C090E73CF5A7F4A36A163C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030659Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:32.705{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932FE7F3D5134A186CB543A8E6D1CC29,SHA256=15BED6D3AA9EBCA1E13BBF531E0C89F377F4A7C1F716529128485E536E982DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893135Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:22.117{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52687-false10.0.1.12-8000- 23542300x80000000000000001030660Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:33.720{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D1D8AFDDA40BCA97C2561DCF4C7282,SHA256=39CDBD43FAFE757441330E8D63F94CFE92C5E7EDDFAB80526C6B4742963DCFFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893136Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:33.061{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9DE2695024AC6E74277937A64B8B8F,SHA256=0A950397A0C95C1BA3B3851760E25E5CABB7231945ABD157447CC4BC0E4A9854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030663Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:34.720{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31F9CE395B559C25C94E46C8E4E739EB,SHA256=0A6DA24FE8B064EC54A331DE927AD674F10D350B26BEB96BA6ED3451AAFF33BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893137Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:34.077{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84ECE05051566893D64FA0CC468E5E10,SHA256=DCCF472D002190D3705385CEF8ADEEBCA6E8E76F0E9272963C505111B7DE4C18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030662Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:34.470{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2900-00000000E601}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030661Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:34.470{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001030664Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:35.736{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D116F577A93D9D119437BD10518BE3E4,SHA256=4835F9E4CBDE81851128AFC0E6A58C983ACE4B2AB83AECCE40AFC1F082A33A8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893152Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.561{D94AFF6C-7413-60FE-0879-00000000E701}19162256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893151Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893150Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893149Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893148Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893147Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893146Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893145Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893144Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893143Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893142Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.452{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7413-60FE-0879-00000000E701}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893141Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.436{D94AFF6C-6DD7-60FA-0500-00000000E701}416432C:\Windows\system32\csrss.exe{D94AFF6C-7413-60FE-0879-00000000E701}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893140Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.436{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7413-60FE-0879-00000000E701}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893139Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.437{D94AFF6C-7413-60FE-0879-00000000E701}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893138Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:35.311{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABCCF824DB29B7A591DAF3FBD8F12EE7,SHA256=06309BD0598B7D13FCEB1AD1BCE00C01F2C5CA2DEF1B71DEF980D423D5119271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030670Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:36.736{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F4B6EBE1F91C50EF7FA3F71E924552,SHA256=2B7C1DFB56D5D9BCFBD16C19107A08CA0F129075FC68F2B682775A155D2C8310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893155Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:36.546{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA4D2C11A60009F059FCBA7A83D244C4,SHA256=A307093609540CF85AB3C53319770308CA215B298A7B58DCACA99957CA5C06D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030669Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:35.203{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57587-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001030668Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:36.048{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-CA2B-60FA-580B-00000000E601}4088C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030667Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:36.048{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030666Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:36.048{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-1400-00000000E601}688C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030665Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:36.048{2E2BE06D-6DD8-60FA-0D00-00000000E601}9045064C:\Windows\system32\svchost.exe{2E2BE06D-6DD8-60FA-0C00-00000000E601}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000893154Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:36.452{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F5E0A9C4EEFC54F76DECA0A9D167BBF,SHA256=C4BA4EDE69ED03A4E39893D4224111279E49175EF87EA68121EFF2316456C2D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893153Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:36.452{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=571B1D1A7584E38B9AF28FFFBD782896,SHA256=BA27AF9CA41EC528CEF48B01F0C6BB1E895B6F736B48F0750289925BD892C487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030671Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:37.736{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524D95D8E74E61406E8B2B3FBB857746,SHA256=3CA54C8B9C516B4E9EB5032F27BC7F69E087CA72002C604E2499A910A3474400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893156Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:37.561{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FE7E46DF1944E2A9FAF214CF20C514,SHA256=C0100D504CA5A9612C2FA83B7C79D0C4C24737DFE2C2FD2553E7DD06A50B8943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030672Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:38.751{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07B223DB258FD7E5E5C1F0BE4D5CB46,SHA256=7039D7137463075B0054C89D0B1402E1C78E9BCE966617AAFC1930F31DCBBDFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893158Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:38.655{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D963CF8B6360A7C08C0A3CEEF0C6DB2,SHA256=D0AD1FDB6EF4F00F85688A190DB8C51F2938B05B2436E4D64A3F3DDA52E0D1E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893157Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:28.085{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52688-false10.0.1.12-8000- 23542300x80000000000000001030673Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:39.767{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24276B68D645F5583D40DA760B12686,SHA256=B5111E15BF4CF853770DB00AF912ADA04CAA74C1A2B3776AFD6EDC12329DF8F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893173Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.671{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46B64CAB1BE5FF3A42283212E237FB4,SHA256=B0BF98FFA5BEF6820F9C307CF96DBEDA480FD29666F6C2AEAA4572182D71EF78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893172Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.624{D94AFF6C-7417-60FE-0979-00000000E701}39881860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893171Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.514{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7417-60FE-0979-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893170Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893169Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893168Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893167Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893166Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893165Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893164Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893163Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893162Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893161Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-7417-60FE-0979-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893160Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7417-60FE-0979-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893159Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.499{D94AFF6C-7417-60FE-0979-00000000E701}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030675Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:40.767{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5743E6BD4A1005F70D2B0DD62A1B7F35,SHA256=2652A10288BA985496CF8967904431671AAC935275F0EE3BBAD9746C937FFC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893189Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.686{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E9FD0D5D0747F390E311F5F569C661,SHA256=87D913B5697AD13B1AFA4F1ED0D7973CE9AFC20EE7BF95551EEAB8C7253B6260,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030674Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:40.343{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57588-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000893188Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.514{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F5E0A9C4EEFC54F76DECA0A9D167BBF,SHA256=C4BA4EDE69ED03A4E39893D4224111279E49175EF87EA68121EFF2316456C2D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000893187Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.124{D94AFF6C-7418-60FE-0A79-00000000E701}4004208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893186Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DDA-60FA-2B00-00000000E701}28322852C:\Windows\system32\conhost.exe{D94AFF6C-7418-60FE-0A79-00000000E701}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893185Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893184Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893183Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893182Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893181Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893180Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893179Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893178Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893177Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD8-60FA-0C00-00000000E701}7282928C:\Windows\system32\svchost.exe{D94AFF6C-6DD9-60FA-1D00-00000000E701}1924C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893176Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.014{D94AFF6C-6DD7-60FA-0500-00000000E701}4161060C:\Windows\system32\csrss.exe{D94AFF6C-7418-60FE-0A79-00000000E701}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000893175Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.999{D94AFF6C-6DD9-60FA-2200-00000000E701}12963324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D94AFF6C-7418-60FE-0A79-00000000E701}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000893174Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:40.000{D94AFF6C-7418-60FE-0A79-00000000E701}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D94AFF6C-6DD8-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030676Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:41.767{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E398C5FD4C3FA19D7CD0DAEB265076A,SHA256=56AE278F5D95B627B372200035C3700F2B565BBF0C0BC899E6B3AB654BD8806F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893190Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:41.702{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF40378FD0AF31EB502862B08E6AEA15,SHA256=216B8A3C62718BE91A79B4DF476289F2692F75DCFC8F14485A8E1EB3D348D491,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893192Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:33.194{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52689-false10.0.1.12-8000- 23542300x8000000000000000893191Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:42.717{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A321780C1283C2692100DE8921891E7C,SHA256=F53D6E6EAAC7E28B52A946B28508A9E20D4AC63A985D477E985CEAF0FD5DB436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030680Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:42.767{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808C41CAC51C16E90A6DFE184A845D04,SHA256=61F949F056B11CD4A8A1F41F0BAF8D5622AB659A3F0AD3E133449FEC5F184BD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030679Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:42.424{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57589-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 354300x80000000000000001030678Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:42.424{2E2BE06D-6DD3-60FA-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57589-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local445microsoft-ds 10341000x80000000000000001030677Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:42.251{2E2BE06D-6DD6-60FA-0B00-00000000E601}6364400C:\Windows\system32\lsass.exe{2E2BE06D-6DD3-60FA-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001030695Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-741B-60FE-9B79-00000000E601}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030694Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030693Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030692Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030691Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030690Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-741B-60FE-9B79-00000000E601}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030689Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.876{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-741B-60FE-9B79-00000000E601}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030688Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.862{2E2BE06D-741B-60FE-9B79-00000000E601}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030687Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.783{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F40D2ACC2536808DAE163BBB15D5F87,SHA256=DC8D525CB9F2141EC87A03A370B5AF33AE443C1040AE03D0F48FA5E1B05CA5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893193Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:43.733{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE36131C0727924D5B7D601F883A895F,SHA256=1D982FF36EFE72A7E11CEB0FEF51643CBC795685CA2F616FE6BEE3C9BE88F5A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030686Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.294{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-56.attackrange.local57591-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001030685Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.294{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57591-false10.0.1.14win-dc-56.attackrange.local389ldap 354300x80000000000000001030684Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.284{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57590-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 354300x80000000000000001030683Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.284{2E2BE06D-6DD8-60FA-1000-00000000E601}384C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local57590-truefe80:0:0:0:90d2:7368:bb37:9ac5win-dc-56.attackrange.local389ldap 23542300x80000000000000001030682Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.220{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60D563249C53AFC1A04A6CBF06C5046C,SHA256=E594FB30792C4FD4256E019B8E3A05D903E8D3510D596ACF19B55AF603E72FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030681Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:43.220{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCFC2A472B89EAD264CB314473E6023D,SHA256=B155FB98A363EE6454843CDC6DF5A62D3E327A29DF1410DA311F542C5FE32401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030705Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.876{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60D563249C53AFC1A04A6CBF06C5046C,SHA256=E594FB30792C4FD4256E019B8E3A05D903E8D3510D596ACF19B55AF603E72FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030704Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.784{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E80B99ACCE399C040EB17E115887BA3,SHA256=CC2526830CCBB14358477E7F28A6F5605B54BFFB8304359CD441A20049A2BB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893194Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:44.749{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85DE025E521A61A566F13BF4AD69F879,SHA256=C3A012E7D585030D42430D8DCABF11CC14E668E8BF83851BDCA56EA8DEBDC17E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030703Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-741C-60FE-9C79-00000000E601}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030702Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030701Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030700Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030699Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030698Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-741C-60FE-9C79-00000000E601}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030697Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.564{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-741C-60FE-9C79-00000000E601}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030696Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:44.549{2E2BE06D-741C-60FE-9C79-00000000E601}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893196Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:45.764{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFBC8C60588BA843BC115117FF23EF0,SHA256=E3F6C649EE082D0EE5F6C2FD89E047558BC05DF16B90F470BD2733ED196E03AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030723Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-741D-60FE-9E79-00000000E601}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030722Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030721Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030720Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030719Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030718Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-741D-60FE-9E79-00000000E601}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030717Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.955{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-741D-60FE-9E79-00000000E601}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030716Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.940{2E2BE06D-741D-60FE-9E79-00000000E601}4692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030715Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.798{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383B0903C1C2B5ECA392F45EA8F500BC,SHA256=7CEDB5E159C4020CEE0F492E4D282422D77099D6C6BF322A27F67696588EEC76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030714Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.455{2E2BE06D-741D-60FE-9D79-00000000E601}27322068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030713Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-741D-60FE-9D79-00000000E601}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030712Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030711Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030710Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030709Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030708Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-741D-60FE-9D79-00000000E601}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030707Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.267{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-741D-60FE-9D79-00000000E601}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030706Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.237{2E2BE06D-741D-60FE-9D79-00000000E601}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000893195Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:45.467{D94AFF6C-6DD8-60FA-1100-00000000E701}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7561D611F72034EC914662F2DC542D11,SHA256=D392F385147DC81E8C4EE26C19976EC236ABBF565FC5DEDAE47245D3A97B4AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893197Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:46.780{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250FE543F88D86615649B32AB17DE7BF,SHA256=9A9A5E4678278D281C0149567FB6B5DEA2B954408D74B4F6FE7BCB772360795D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030737Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.830{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087188D237BC02A5996E0A3E0BE8D77D,SHA256=427C8104EA881045F7AD0C9E45B584C6E0125D44E3BB03588896AE19B4770C4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030736Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.814{2E2BE06D-741E-60FE-9F79-00000000E601}66206824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030735Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.642{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-741E-60FE-9F79-00000000E601}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030734Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.626{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030733Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.626{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030732Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.626{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030731Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.626{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030730Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.626{2E2BE06D-6DD6-60FA-0500-00000000E601}416432C:\Windows\system32\csrss.exe{2E2BE06D-741E-60FE-9F79-00000000E601}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030729Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.626{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-741E-60FE-9F79-00000000E601}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030728Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.627{2E2BE06D-741E-60FE-9F79-00000000E601}6620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001030727Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.218{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57592-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001030726Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:45.549{2E2BE06D-6DD8-60FA-0F00-00000000E601}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse193.93.62.7-4068-false10.0.1.14win-dc-56.attackrange.local3389ms-wbt-server 23542300x80000000000000001030725Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.236{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA064292AE796FCB75749E7547054550,SHA256=B86DEB79CD83EB62939ADAD5E815E61ADEC1FA646CE3F439F30B685D611B2770,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030724Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:46.142{2E2BE06D-741D-60FE-9E79-00000000E601}46921532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000893198Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:47.796{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED6E6DCA5B2C5266B4AF091960A5C4B,SHA256=60F74D78DBF2C1AA9ED08572DA5584B407590824DEEE9D054C3AE3555469D25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030748Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.830{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF967E1C1796595A1EA724DBAD6A186,SHA256=E87A146402E52028936B00044E92CAFD0AF094CDB5109C1B5491707411F49BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030747Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.658{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDE92C4E434767CE1F6171584A09874B,SHA256=A7A71DEC9AFA150ACC9E0DEC54F5EBA8AA6A6FC3E90C869FD96D25069B1E0870,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030746Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.501{2E2BE06D-741F-60FE-A079-00000000E601}9445216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030745Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-741F-60FE-A079-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030744Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030743Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030742Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030741Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030740Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-741F-60FE-A079-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030739Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.314{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-741F-60FE-A079-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030738Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:47.299{2E2BE06D-741F-60FE-A079-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001030749Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:48.830{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE75979E37370328181C696EF506F40,SHA256=17A05324B2BB52DAF5F51E6BCA1CB858457F9DE0BC60CA6A9934FA4D1895B053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893199Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:48.811{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFC94F148090F4EB15C3B53241836C6,SHA256=69DBB0D225EBBEEFF971CC03B71AC4C824625124D8F8BEDF99FEFC5AA81FEBAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893200Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:49.811{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8EE48D781AA2EBD7817920CBCBBCA7,SHA256=F7FCF4B05327476FD4CB089F0DABF7A79AFAAA49E66BA13EEA0167AAACBA296C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030750Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:49.830{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B2EF49640355BEC774BAE50E20D20D,SHA256=198CB60839E5E74274959203C6333D1997E349D13D40985ABD1104CE08CFEA68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893203Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:50.827{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81B9F2C6BEFAEB11EF054922D630F38,SHA256=A63FDC63878B0439123850B7443BD3879314D49513D58CE8482086EC11A82F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030752Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:50.830{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75531EF1DDEE95FF77538F96377CE002,SHA256=0A73BC4C3A89FF3EE41EAB57B6A39671C3DF44DFD0FC010FA644582F553BCD0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893202Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:50.436{D94AFF6C-6DD9-60FA-2200-00000000E701}1296NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=85E02EEFEB94889C2B3FA0450D64D965,SHA256=FD2D44B44F455C51F744FDF6D494B2B2CAA113DD2D7C2DD2E0FED42E8CA25B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893201Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:39.085{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52690-false10.0.1.12-8000- 23542300x80000000000000001030751Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:50.642{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CDA8B34537485056275C26970FEAD35,SHA256=D622AA959E58211C9AF414E17E878898029AC6A8FEC9AEF7A45F8350CF020C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030763Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.845{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028C1D13782E951AC5EFFC78A5B90153,SHA256=F01240B0BE95A894DB909F63262680B12412A6B036330B7A30AD44B64669395D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001030762Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DE9-60FA-3300-00000000E601}31563176C:\Windows\system32\conhost.exe{2E2BE06D-7423-60FE-A179-00000000E601}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030761Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030760Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030759Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030758Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DD8-60FA-0C00-00000000E601}8446148C:\Windows\system32\svchost.exe{2E2BE06D-6DE8-60FA-2600-00000000E601}2884C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001030757Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DD6-60FA-0500-00000000E601}416536C:\Windows\system32\csrss.exe{2E2BE06D-7423-60FE-A179-00000000E601}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001030756Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.830{2E2BE06D-6DE8-60FA-2700-00000000E601}28923740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E2BE06D-7423-60FE-A179-00000000E601}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001030755Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.815{2E2BE06D-7423-60FE-A179-00000000E601}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E2BE06D-6DD6-60FA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{2E2BE06D-6DE8-60FA-2700-00000000E601}2892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001030754Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:50.750{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57593-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 354300x80000000000000001030753Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:50.750{2E2BE06D-6DE8-60FA-2300-00000000E601}2740C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-56.attackrange.local57593-true0:0:0:0:0:0:0:1win-dc-56.attackrange.local389ldap 23542300x80000000000000001030766Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:52.845{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDFFE5D20CA64D4B39259FAE55AFF71F,SHA256=9F204FE1B4190B45A43975AB06C1C5326D1AE3A377A0663027835276A05251F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030765Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:52.845{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A9E9B644E0921E62624EBF7A62C4D7,SHA256=41425D95A380F312608E5925D7A0A40FCAFF2D27DECD2C174C1FF1B3146DFF54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893205Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:42.429{D94AFF6C-6DD9-60FA-2200-00000000E701}1296C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52691-false10.0.1.12-8089- 23542300x8000000000000000893204Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:52.061{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4713C74450EEC85C92C67DECBD55D17D,SHA256=84A1D1CC03C65E82C310A839145310090ABFC086BB5D71CDCBCE0BF978222C70,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030764Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:51.343{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57594-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030767Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:53.861{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95ED5EE667A9BC74E258E1156774B2E3,SHA256=A77F422DEFC95C258584CF9FA3A8EB73B663F32D9A94F18480BBB0888798DE9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893206Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:53.155{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46C3A0949A80FEBA936E86784963FA7C,SHA256=2DBFDBCFE5F0B36D2989CB454C8CDD5177F6DE32A577EAC649BA21F806DF0446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030768Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:54.892{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC81E198E95F6E23DF159EE004AB0F03,SHA256=971588ECEA140E724D906AEA98FA3E47F0CCA3291E6CECF3CAE402F9DE96DA81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893208Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:44.225{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52692-false10.0.1.12-8000- 23542300x8000000000000000893207Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:54.171{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B9658DC861563B1558BA76009C4BA6,SHA256=4D8C6CF4C824B25F5350FF8E8C101030C60EAD6AFF6D49FB6D70073DFAD5F7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030769Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:55.892{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2C5BF8AAA43BD2AE9E75360EDF7939,SHA256=9B12E6D914D1D461B9233BF754E83C4D48599B8298C767F049D134D9FCA062ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893210Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:55.405{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0FA6E0D4CF96DF9BF90CA2954DC22B,SHA256=A24D680656B3E16B2E8EAAD49395DCB0E637BDC618FE46CC2A761D06D1A80EA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893209Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:45.434{D94AFF6C-6DD8-60FA-1000-00000000E701}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse107.173.59.121121-59-173-107.reverse-dns49398-false10.0.1.15win-host-702.eu-central-1.compute.internal3389ms-wbt-server 23542300x80000000000000001030770Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:56.893{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B45512DE4F7DF4FD4BCFB80880C45E,SHA256=76F373D219B8F76394A9C995D649EA75565DB77A43BD97BC31CA6220864686E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893213Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:56.952{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6DF8D3A24B5FC4AD6F5EEDDB79D0148,SHA256=E439BBAFF28EAC72FA8484E0828A34157D4ABF8C4C6F5915A6E5F466DCF9ADBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893212Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:56.952{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBF79ECFFB80E531072F4EAFDA86D05A,SHA256=0F13A24FDF7DCDB76602C9BE8DEB9C0C64C6F1CEDDDDBB72531EE228ED1A4E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893211Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:56.624{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57117FF530BA5038EEAC08A37E2CF7B6,SHA256=485C01CE1D87BFDFCB3F87B74B127080F5020636EF1F6F8D7C787B5C15C49ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030772Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:57.908{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A89FB245F882128ECB6B3777102DC81,SHA256=CB91CD7D7F8FE248660CC379D45827DD756C6368C39444842C19DE819596E90E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893214Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:57.657{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7C43901B091701B5AEDCC95C6ACD20,SHA256=14DA00B613BC56BCFD83B2F9DAEAFACB2A006B4F316FEFC4745890D23AABC250,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001030771Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:57.171{2E2BE06D-6DF4-60FA-6900-00000000E601}3676C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-56.attackrange.local57595-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001030775Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:58.923{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788F9EA0BEF6B74AA1CCA26CDDE1C19D,SHA256=ADD9BC6D0D62E6D3D5651DCC798C2B0312FA8D3862451E905F37CEDC6E8BC072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000893215Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:58.675{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7748DA9D95C1C4A0EAE8E6BD2AF53940,SHA256=D85A6B01D34B35E11CE91B9C9C4B64521ED637CFC6B3A7033D880AB4D4CDB1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030774Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:58.486{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BD9826B8CA828C7BF5AD77AB9564DA7,SHA256=BBA6894A1786AD0508D6FAB1851AB00FB14C5D01E66972EC7FD9244DC8609ECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030773Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:58.486{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7FA858D3742C776B7D5F5E95B871D98,SHA256=F2EA881556A49442447AA0D110E90F4C9B5A0D4A21EA277EE0CF876EB86B6955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001030786Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-2021-07-26 08:36:59.923{2E2BE06D-6DFB-60FA-7200-00000000E601}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D10DC7C7DD0539989F66BB3CB19E9DD,SHA256=15D05FC48A900E69E2223F7B147001ABFEF2E00D7930D0F2186CCC0A2172220C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000893217Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:50.136{D94AFF6C-6DE2-60FA-6100-00000000E701}3628C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-702.eu-central-1.compute.internal52693-false10.0.1.12-8000- 23542300x8000000000000000893216Microsoft-Windows-Sysmon/Operationalwin-host-702-2021-07-26 08:36:59.753{D94AFF6C-6DE9-60FA-6B00-00000000E701}4016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792BD0190F061DA5DFE0A10ACEEE4EF2,SHA256=F5704C5CDDD6878EF17646401790947DC21E3B083504BC7E6C2695A204B85D8F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001030785Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001030784Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb8d155) 13241300x80000000000000001030783Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d781f1-0x0459637f) 13241300x80000000000000001030782Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d781f9-0x661dcb7f) 13241300x80000000000000001030781Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d78201-0xc7e2337f) 13241300x80000000000000001030780Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001030779Microsoft-Windows-Sysmon/Operationalwin-dc-56.attackrange.local-SetValue2021-07-26 08:36:59.595{2E2BE06D-6DD6-60FA-0B00-00000000E601}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fb8d155) 13241300x80000000000000001030778Microsoft-Windows-Sysmon/Operational